Commit e6b6e554 authored by mythria's avatar mythria Committed by Commit bot

[Interpreter] Changes GenerateDoubleToObject to push and pop rsi value.

In the earlier implementation of GenerateDoubleToObject the context
is loaded from the parent's frame. rsi is clobbered because it is used
to store kHoleNan constnat. It is not always safe to peek at
the parents frame. Bytecode handlers have TypedFrame and the type of
frame is stored at FP + 1. GenerateDoubleToObject expects context
to be store at that place. In the current implementation rsi is pushed
onto the stack and is popped when exiting this function.

BUG=v8:4280,chromium:597565
LOG=N

Review URL: https://codereview.chromium.org/1848473002

Cr-Commit-Position: refs/heads/master@{#35163}
parent 289f3824
......@@ -704,6 +704,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
__ cmp(edi, Immediate(masm->isolate()->factory()->empty_fixed_array()));
__ j(equal, &only_change_map);
__ push(esi);
__ push(eax);
__ push(edx);
__ push(ebx);
......@@ -753,10 +754,10 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
// Call into runtime if GC is required.
__ bind(&gc_required);
__ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
__ pop(ebx);
__ pop(edx);
__ pop(eax);
__ pop(esi);
__ jmp(fail);
// Box doubles into heap numbers.
......@@ -818,7 +819,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
// Restore registers.
__ pop(eax);
__ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
__ pop(esi);
__ bind(&success);
}
......
......@@ -288,6 +288,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
__ CompareRoot(r8, Heap::kEmptyFixedArrayRootIndex);
__ j(equal, &only_change_map);
__ Push(rsi);
__ Push(rax);
__ movp(r8, FieldOperand(rdx, JSObject::kElementsOffset));
......@@ -326,7 +327,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
// Call into runtime if GC is required.
__ bind(&gc_required);
__ Pop(rax);
__ movp(rsi, Operand(rbp, StandardFrameConstants::kContextOffset));
__ Pop(rsi);
__ jmp(fail);
// Box doubles into heap numbers.
......@@ -380,7 +381,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
EMIT_REMEMBERED_SET,
OMIT_SMI_CHECK);
__ Pop(rax);
__ movp(rsi, Operand(rbp, StandardFrameConstants::kContextOffset));
__ Pop(rsi);
__ bind(&only_change_map);
// Set transitioned map.
......
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-inline-new
function __f_2(b, value) {
b[1] = value;
}
function __f_9() {
var arr = [1.5, 0, 0];
// Call with a double, so the expected element type is double.
__f_2(1.5);
// Call with an object, which triggers transition from FAST_double
// to Object for the elements type.
__f_2(arr);
}
__f_9();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment