Commit d6473f5c authored by mlippautz's avatar mlippautz Committed by Commit bot

[Heap] Fix comparing against new space top pointer

See bug description.

BUG=chromium:619382
LOG=N
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2065063002
Cr-Commit-Position: refs/heads/master@{#36968}
parent f1ac74b2
...@@ -3845,7 +3845,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento( ...@@ -3845,7 +3845,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(
Label* no_memento_found) { Label* no_memento_found) {
Label map_check; Label map_check;
Label top_check; Label top_check;
ExternalReference new_space_allocation_top = ExternalReference new_space_allocation_top_adr =
ExternalReference::new_space_allocation_top_address(isolate()); ExternalReference::new_space_allocation_top_address(isolate());
const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag; const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag;
const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize; const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize;
...@@ -3855,7 +3855,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento( ...@@ -3855,7 +3855,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(
// If the object is in new space, we need to check whether it is on the same // If the object is in new space, we need to check whether it is on the same
// page as the current top. // page as the current top.
add(scratch_reg, receiver_reg, Operand(kMementoEndOffset)); add(scratch_reg, receiver_reg, Operand(kMementoEndOffset));
eor(scratch_reg, scratch_reg, Operand(new_space_allocation_top)); mov(ip, Operand(new_space_allocation_top_adr));
ldr(ip, MemOperand(ip));
eor(scratch_reg, scratch_reg, Operand(ip));
tst(scratch_reg, Operand(~Page::kPageAlignmentMask)); tst(scratch_reg, Operand(~Page::kPageAlignmentMask));
b(eq, &top_check); b(eq, &top_check);
// The object is on a different page than allocation top. Bail out if the // The object is on a different page than allocation top. Bail out if the
...@@ -3871,7 +3873,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento( ...@@ -3871,7 +3873,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(
// we are below top. // we are below top.
bind(&top_check); bind(&top_check);
add(scratch_reg, receiver_reg, Operand(kMementoEndOffset)); add(scratch_reg, receiver_reg, Operand(kMementoEndOffset));
cmp(scratch_reg, Operand(new_space_allocation_top)); mov(ip, Operand(new_space_allocation_top_adr));
ldr(ip, MemOperand(ip));
cmp(scratch_reg, ip);
b(gt, no_memento_found); b(gt, no_memento_found);
// Memento map check. // Memento map check.
bind(&map_check); bind(&map_check);
......
...@@ -1536,7 +1536,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver, ...@@ -1536,7 +1536,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver,
Label* no_memento_found) { Label* no_memento_found) {
Label map_check; Label map_check;
Label top_check; Label top_check;
ExternalReference new_space_allocation_top = ExternalReference new_space_allocation_top_adr =
ExternalReference::new_space_allocation_top_address(isolate()); ExternalReference::new_space_allocation_top_address(isolate());
const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag; const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag;
const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize; const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize;
...@@ -1546,7 +1546,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver, ...@@ -1546,7 +1546,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver,
Add(scratch1, receiver, kMementoEndOffset); Add(scratch1, receiver, kMementoEndOffset);
// If the object is in new space, we need to check whether it is on the same // If the object is in new space, we need to check whether it is on the same
// page as the current top. // page as the current top.
Eor(scratch2, scratch1, new_space_allocation_top); Mov(scratch2, new_space_allocation_top_adr);
Ldr(scratch2, MemOperand(scratch2));
Eor(scratch2, scratch1, scratch2);
Tst(scratch2, ~Page::kPageAlignmentMask); Tst(scratch2, ~Page::kPageAlignmentMask);
B(eq, &top_check); B(eq, &top_check);
// The object is on a different page than allocation top. Bail out if the // The object is on a different page than allocation top. Bail out if the
...@@ -1560,7 +1562,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver, ...@@ -1560,7 +1562,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver,
// If top is on the same page as the current object, we need to check whether // If top is on the same page as the current object, we need to check whether
// we are below top. // we are below top.
bind(&top_check); bind(&top_check);
Cmp(scratch1, new_space_allocation_top); Mov(scratch2, new_space_allocation_top_adr);
Ldr(scratch2, MemOperand(scratch2));
Cmp(scratch1, scratch2);
B(gt, no_memento_found); B(gt, no_memento_found);
// Memento map check. // Memento map check.
bind(&map_check); bind(&map_check);
......
...@@ -6609,7 +6609,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg, ...@@ -6609,7 +6609,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg,
Label* no_memento_found) { Label* no_memento_found) {
Label map_check; Label map_check;
Label top_check; Label top_check;
ExternalReference new_space_allocation_top = ExternalReference new_space_allocation_top_adr =
ExternalReference::new_space_allocation_top_address(isolate()); ExternalReference::new_space_allocation_top_address(isolate());
const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag; const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag;
const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize; const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize;
...@@ -6619,7 +6619,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg, ...@@ -6619,7 +6619,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg,
// If the object is in new space, we need to check whether it is on the same // If the object is in new space, we need to check whether it is on the same
// page as the current top. // page as the current top.
Addu(scratch_reg, receiver_reg, Operand(kMementoEndOffset)); Addu(scratch_reg, receiver_reg, Operand(kMementoEndOffset));
Xor(scratch_reg, scratch_reg, Operand(new_space_allocation_top)); li(at, Operand(new_space_allocation_top_adr));
lw(at, MemOperand(at));
Xor(scratch_reg, scratch_reg, Operand(at));
And(scratch_reg, scratch_reg, Operand(~Page::kPageAlignmentMask)); And(scratch_reg, scratch_reg, Operand(~Page::kPageAlignmentMask));
Branch(&top_check, eq, scratch_reg, Operand(zero_reg)); Branch(&top_check, eq, scratch_reg, Operand(zero_reg));
// The object is on a different page than allocation top. Bail out if the // The object is on a different page than allocation top. Bail out if the
...@@ -6635,7 +6637,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg, ...@@ -6635,7 +6637,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg,
// we are below top. // we are below top.
bind(&top_check); bind(&top_check);
Addu(scratch_reg, receiver_reg, Operand(kMementoEndOffset)); Addu(scratch_reg, receiver_reg, Operand(kMementoEndOffset));
li(at, Operand(new_space_allocation_top)); li(at, Operand(new_space_allocation_top_adr));
lw(at, MemOperand(at)); lw(at, MemOperand(at));
Branch(no_memento_found, gt, scratch_reg, Operand(at)); Branch(no_memento_found, gt, scratch_reg, Operand(at));
// Memento map check. // Memento map check.
......
...@@ -6958,7 +6958,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg, ...@@ -6958,7 +6958,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg,
Label* no_memento_found) { Label* no_memento_found) {
Label map_check; Label map_check;
Label top_check; Label top_check;
ExternalReference new_space_allocation_top = ExternalReference new_space_allocation_top_adr =
ExternalReference::new_space_allocation_top_address(isolate()); ExternalReference::new_space_allocation_top_address(isolate());
const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag; const int kMementoMapOffset = JSArray::kSize - kHeapObjectTag;
const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize; const int kMementoEndOffset = kMementoMapOffset + AllocationMemento::kSize;
...@@ -6968,7 +6968,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg, ...@@ -6968,7 +6968,9 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg,
// If the object is in new space, we need to check whether it is on the same // If the object is in new space, we need to check whether it is on the same
// page as the current top. // page as the current top.
Daddu(scratch_reg, receiver_reg, Operand(kMementoEndOffset)); Daddu(scratch_reg, receiver_reg, Operand(kMementoEndOffset));
Xor(scratch_reg, scratch_reg, Operand(new_space_allocation_top)); li(at, Operand(new_space_allocation_top_adr));
ld(at, MemOperand(at));
Xor(scratch_reg, scratch_reg, Operand(at));
And(scratch_reg, scratch_reg, Operand(~Page::kPageAlignmentMask)); And(scratch_reg, scratch_reg, Operand(~Page::kPageAlignmentMask));
Branch(&top_check, eq, scratch_reg, Operand(zero_reg)); Branch(&top_check, eq, scratch_reg, Operand(zero_reg));
// The object is on a different page than allocation top. Bail out if the // The object is on a different page than allocation top. Bail out if the
...@@ -6984,7 +6986,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg, ...@@ -6984,7 +6986,7 @@ void MacroAssembler::TestJSArrayForAllocationMemento(Register receiver_reg,
// we are below top. // we are below top.
bind(&top_check); bind(&top_check);
Daddu(scratch_reg, receiver_reg, Operand(kMementoEndOffset)); Daddu(scratch_reg, receiver_reg, Operand(kMementoEndOffset));
li(at, Operand(new_space_allocation_top)); li(at, Operand(new_space_allocation_top_adr));
ld(at, MemOperand(at)); ld(at, MemOperand(at));
Branch(no_memento_found, gt, scratch_reg, Operand(at)); Branch(no_memento_found, gt, scratch_reg, Operand(at));
// Memento map check. // Memento map check.
......
// Copyright 2016 the V8 project authors. All rights reserved.
// // Use of this source code is governed by a BSD-style license that can be
// // found in the LICENSE file.
//
// // Flags: --expose-gc --always-opt
(function __f_9() {
})();
function __f_16(ctor_desc) {
var __v_22 = 5;
var __v_25 = [];
gc(); gc(); gc();
for (var __v_18 = 0; __v_18 < __v_22; __v_18++) {
__v_25[__v_18] = ctor_desc.ctor.apply();
}
}
var __v_28 = [
{
ctor: function(__v_27) { return {a: __v_27}; },
args: function() { return [1.5 + __v_18]; } },
{
ctor: function(__v_27) { var __v_21 = []; __v_21[1] = __v_27; __v_21[200000] = __v_27; return __v_21; },
args: function() { return [1.5 + __v_18]; } },
{
ctor: function() {
} }
];
var __v_26 = [
{
}];
__v_26.forEach(function(__v_16) {
__v_28.forEach(function(ctor) {
__f_16(ctor);
});
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment