• jarin@chromium.org's avatar
    Fix of argument materialization of captured heap numbers. · 713aa33f
    jarin@chromium.org authored
    The escape analysis calculates the number of slots in an object as
    no-of-slots = object-size / pointer-size.  This gives 3 slots for
    heap numbers on 32-bit architectures (one slot for the map, two for
    the double value); however, my argument materialization code assumed
    just two slots (map + value). Since Hydrogen allocates heap numbers
    quite rarely, it is hard to produce a more meaningful repro than the
    one provided by Clusterfuzz. Any suggestions are welcome.
    
    The fix is simple - we just read out all extra slots (beyond the map
    and the double) for heap numbers.
    
    R=mstarzinger@chromium.org
    BUG=351315
    LOG=N
    
    Review URL: https://codereview.chromium.org/196283004
    
    git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19874 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
    713aa33f
Name
Last commit
Last update
..
bugs Loading commit data...
compiler Loading commit data...
es7 Loading commit data...
harmony Loading commit data...
lithium Loading commit data...
regress Loading commit data...
third_party Loading commit data...
tools Loading commit data...
accessor-map-sharing.js Loading commit data...
accessors-on-global-object.js Loading commit data...
allocation-folding.js Loading commit data...
allocation-site-info.js Loading commit data...
api-call-after-bypassed-exception.js Loading commit data...
apply-arguments-gc-safepoint.js Loading commit data...
apply.js Loading commit data...
argument-assigned.js Loading commit data...
argument-named-arguments.js Loading commit data...
arguments-apply-deopt.js Loading commit data...
arguments-apply.js Loading commit data...
arguments-call-apply.js Loading commit data...
arguments-enum.js Loading commit data...
arguments-escape.js Loading commit data...
arguments-indirect.js Loading commit data...
arguments-lazy.js Loading commit data...
arguments-load-across-eval.js Loading commit data...
arguments-opt.js Loading commit data...
arguments-read-and-assignment.js Loading commit data...
arguments.js Loading commit data...
array-bounds-check-removal.js Loading commit data...
array-concat.js Loading commit data...
array-construct-transition.js Loading commit data...
array-constructor-feedback.js Loading commit data...
array-constructor.js Loading commit data...
array-elements-from-array-prototype-chain.js Loading commit data...
array-elements-from-array-prototype.js Loading commit data...
array-elements-from-object-prototype.js Loading commit data...
array-feedback.js Loading commit data...
array-functions-prototype-misc.js Loading commit data...
array-functions-prototype.js Loading commit data...
array-indexing.js Loading commit data...
array-iteration.js Loading commit data...
array-join.js Loading commit data...
array-length-number-conversion.js Loading commit data...
array-length.js Loading commit data...
array-literal-feedback.js Loading commit data...
array-literal-transitions.js Loading commit data...
array-natives-elements.js Loading commit data...
array-non-smi-length.js Loading commit data...
array-pop.js Loading commit data...
array-push-non-smi-value.js Loading commit data...
array-push.js Loading commit data...
array-reduce.js Loading commit data...
array-shift.js Loading commit data...
array-slice.js Loading commit data...
array-sort.js Loading commit data...
array-splice.js Loading commit data...
array-store-and-grow.js Loading commit data...
array-tostring.js Loading commit data...
array-unshift.js Loading commit data...
ascii-regexp-subject.js Loading commit data...
assert-opt-and-deopt.js Loading commit data...
big-array-literal.js Loading commit data...
big-object-literal.js Loading commit data...
binary-op-newspace.js Loading commit data...
binary-operation-overwrite.js Loading commit data...
bit-not.js Loading commit data...
bitops-info.js Loading commit data...
bitwise-operations-bools.js Loading commit data...
bitwise-operations-undefined.js Loading commit data...
body-not-visible.js Loading commit data...
bool-concat.js Loading commit data...
boolean.js Loading commit data...
break.js Loading commit data...
builtins.js Loading commit data...
call-non-function-call.js Loading commit data...
call-non-function.js Loading commit data...
call-stub.js Loading commit data...
call.js Loading commit data...
char-escape.js Loading commit data...
class-of-builtins.js Loading commit data...
closure.js Loading commit data...
closures.js Loading commit data...
codegen-coverage.js Loading commit data...
compare-character.js Loading commit data...
compare-known-objects-slow.js Loading commit data...
compare-known-objects.js Loading commit data...
compare-nan.js Loading commit data...
compare-nil.js Loading commit data...
compare-objects.js Loading commit data...
comparison-ops-and-undefined.js Loading commit data...
concurrent-initial-prototype-change.js Loading commit data...
const-declaration.js Loading commit data...
const-eval-init.js Loading commit data...
const-redecl.js Loading commit data...
const.js Loading commit data...
constant-compare-nil-value.js Loading commit data...
constant-fold-control-instructions.js Loading commit data...
constant-folding-2.js Loading commit data...
constant-folding.js Loading commit data...
context-calls-maintained.js Loading commit data...
context-variable-assignments.js Loading commit data...
contextual-calls.js Loading commit data...
copy-on-write-assert.js Loading commit data...
count-based-osr.js Loading commit data...
cyclic-array-to-string.js Loading commit data...
cyrillic.js Loading commit data...
d8-os.js Loading commit data...
d8-performance-now.js Loading commit data...
date-parse.js Loading commit data...
date.js Loading commit data...
debug-backtrace-text.js Loading commit data...
debug-backtrace.js Loading commit data...
debug-break-inline.js Loading commit data...
debug-breakpoints.js Loading commit data...
debug-changebreakpoint.js Loading commit data...
debug-clearbreakpoint.js Loading commit data...
debug-clearbreakpointgroup.js Loading commit data...
debug-compile-event-newfunction.js Loading commit data...
debug-compile-event.js Loading commit data...
debug-conditional-breakpoints.js Loading commit data...
debug-constructed-by.js Loading commit data...
debug-constructor.js Loading commit data...
debug-continue.js Loading commit data...
debug-enable-disable-breakpoints.js Loading commit data...
debug-evaluate-arguments.js Loading commit data...
debug-evaluate-bool-constructor.js Loading commit data...
debug-evaluate-closure.js Loading commit data...
debug-evaluate-const.js Loading commit data...
debug-evaluate-locals-optimized-double.js Loading commit data...
debug-evaluate-locals-optimized.js Loading commit data...
debug-evaluate-locals.js Loading commit data...
debug-evaluate-recursive.js Loading commit data...
debug-evaluate-with-context.js Loading commit data...
debug-evaluate-with.js Loading commit data...
debug-evaluate.js Loading commit data...
debug-event-listener.js Loading commit data...
debug-function-scopes.js Loading commit data...
debug-handle.js Loading commit data...
debug-ignore-breakpoints.js Loading commit data...
debug-listbreakpoints.js Loading commit data...
debug-liveedit-1.js Loading commit data...
debug-liveedit-2.js Loading commit data...
debug-liveedit-3.js Loading commit data...
debug-liveedit-4.js Loading commit data...
debug-liveedit-breakpoints.js Loading commit data...
debug-liveedit-check-stack.js Loading commit data...
debug-liveedit-compile-error.js Loading commit data...
debug-liveedit-diff.js Loading commit data...
debug-liveedit-double-call.js Loading commit data...
debug-liveedit-literals.js Loading commit data...
debug-liveedit-newsource.js Loading commit data...
debug-liveedit-patch-positions-replace.js Loading commit data...
debug-liveedit-patch-positions.js Loading commit data...
debug-liveedit-restart-frame.js Loading commit data...
debug-liveedit-stack-padding.js Loading commit data...
debug-liveedit-utils.js Loading commit data...
debug-mirror-cache.js Loading commit data...
debug-multiple-breakpoints.js Loading commit data...
debug-receiver.js Loading commit data...
debug-referenced-by.js Loading commit data...
debug-references.js Loading commit data...
debug-return-value.js Loading commit data...
debug-scopes.js Loading commit data...
debug-script-breakpoints-closure.js Loading commit data...
debug-script-breakpoints-nested.js Loading commit data...
debug-script-breakpoints.js Loading commit data...
debug-script.js Loading commit data...
debug-scripts-request.js Loading commit data...
debug-set-script-source.js Loading commit data...
debug-set-variable-value.js Loading commit data...
debug-setbreakpoint.js Loading commit data...
debug-setexceptionbreak.js Loading commit data...
debug-sourceinfo.js Loading commit data...
debug-sourceslice.js Loading commit data...
debug-step-2.js Loading commit data...
debug-step-3.js Loading commit data...
debug-step-4-in-frame.js Loading commit data...
debug-step-stub-callfunction.js Loading commit data...
debug-step.js Loading commit data...
debug-stepin-accessor.js Loading commit data...
debug-stepin-builtin-callback.js Loading commit data...
debug-stepin-builtin.js Loading commit data...
debug-stepin-call-function-stub.js Loading commit data...
debug-stepin-constructor.js Loading commit data...
debug-stepin-function-call.js Loading commit data...
debug-stepin-positions.js Loading commit data...
debug-stepnext-do-while.js Loading commit data...
debug-stepout-recursive-function.js Loading commit data...
debug-stepout-scope-part1.js Loading commit data...
debug-stepout-scope-part2.js Loading commit data...
debug-stepout-scope-part3.js Loading commit data...
debug-stepout-scope-part4.js Loading commit data...
debug-stepout-scope-part5.js Loading commit data...
debug-stepout-scope-part6.js Loading commit data...
debug-stepout-scope-part7.js Loading commit data...
debug-stepout-scope-part8.js Loading commit data...
debug-stepout-to-builtin.js Loading commit data...
debug-suspend.js Loading commit data...
debug-version.js Loading commit data...
declare-locally.js Loading commit data...
deep-recursion.js Loading commit data...
define-property-gc.js Loading commit data...
delay-syntax-error.js Loading commit data...
delete-global-properties.js Loading commit data...
delete-in-eval.js Loading commit data...
delete-in-with.js Loading commit data...
delete-non-configurable.js Loading commit data...
delete-vars-from-eval.js Loading commit data...
delete.js Loading commit data...
deopt-minus-zero.js Loading commit data...
deopt-with-fp-regs.js Loading commit data...
div-mod.js Loading commit data...
div-mul-minus-one.js Loading commit data...
do-not-strip-fc.js Loading commit data...
dont-enum-array-holes.js Loading commit data...
dont-reinit-global-var.js Loading commit data...
double-equals.js Loading commit data...
double-intrinsics.js Loading commit data...
double-truncation.js Loading commit data...
dtoa.js Loading commit data...
elements-kind-depends.js Loading commit data...
elements-kind.js Loading commit data...
elements-length-no-holey.js Loading commit data...
elements-transition-and-store.js Loading commit data...
elements-transition-hoisting.js Loading commit data...
elements-transition.js Loading commit data...
elide-double-hole-check-1.js Loading commit data...
elide-double-hole-check-2.js Loading commit data...
elide-double-hole-check-3.js Loading commit data...
elide-double-hole-check-4.js Loading commit data...
elide-double-hole-check-5.js Loading commit data...
elide-double-hole-check-6.js Loading commit data...
elide-double-hole-check-7.js Loading commit data...
elide-double-hole-check-8.js Loading commit data...
elide-double-hole-check-9.js Loading commit data...
enumeration-order.js Loading commit data...
error-accessors.js Loading commit data...
error-constructors.js Loading commit data...
error-tostring-omit.js Loading commit data...
error-tostring.js Loading commit data...
escape.js Loading commit data...
eval-enclosing-function-name.js Loading commit data...
eval-stack-trace.js Loading commit data...
eval-typeof-non-existing.js Loading commit data...
eval.js Loading commit data...
external-array-no-sse2.js Loading commit data...
external-array.js Loading commit data...
extra-arguments.js Loading commit data...
extra-commas.js Loading commit data...
fast-array-length.js Loading commit data...
fast-element-smi-check.js Loading commit data...
fast-literal.js Loading commit data...
fast-non-keyed.js Loading commit data...
fast-prototype.js Loading commit data...
for-in-delete.js Loading commit data...
for-in-null-or-undefined.js Loading commit data...
for-in-special-cases.js Loading commit data...
for-in.js Loading commit data...
for.js Loading commit data...
fun-as-prototype.js Loading commit data...
fun-name.js Loading commit data...
function-arguments-duplicate.js Loading commit data...
function-arguments-null.js Loading commit data...
function-bind.js Loading commit data...
function-call.js Loading commit data...
function-caller.js Loading commit data...
function-named-self-reference.js Loading commit data...
function-names.js Loading commit data...
function-property.js Loading commit data...
function-prototype.js Loading commit data...
function-source.js Loading commit data...
function-without-prototype.js Loading commit data...
function.js Loading commit data...
fuzz-accessors.js Loading commit data...
fuzz-natives-part1.js Loading commit data...
fuzz-natives-part2.js Loading commit data...
fuzz-natives-part3.js Loading commit data...
fuzz-natives-part4.js Loading commit data...
generated-transition-stub.js Loading commit data...
get-own-property-descriptor.js Loading commit data...
get-prototype-of.js Loading commit data...
getter-in-prototype.js Loading commit data...
getter-in-value-prototype.js Loading commit data...
getters-on-elements.js Loading commit data...
global-accessors.js Loading commit data...
global-const-var-conflicts.js Loading commit data...
global-deleted-property-ic.js Loading commit data...
global-deleted-property-keyed.js Loading commit data...
global-ic.js Loading commit data...
global-load-from-eval-in-with.js Loading commit data...
global-load-from-eval.js Loading commit data...
global-load-from-nested-eval.js Loading commit data...
global-vars-eval.js Loading commit data...
global-vars-with.js Loading commit data...
greedy.js Loading commit data...
has-own-property.js Loading commit data...
hex-parsing.js Loading commit data...
html-comments.js Loading commit data...
html-string-funcs.js Loading commit data...
if-in-undefined.js Loading commit data...
in.js Loading commit data...
indexed-accessors.js Loading commit data...
indexed-value-properties.js Loading commit data...
instanceof-2.js Loading commit data...
instanceof.js Loading commit data...
int32-ops.js Loading commit data...
integer-to-string.js Loading commit data...
invalid-lhs.js Loading commit data...
invalid-source-element.js Loading commit data...
json-parser-recursive.js Loading commit data...
json-stringify-recursive.js Loading commit data...
json.js Loading commit data...
json2.js Loading commit data...
keyed-array-call.js Loading commit data...
keyed-call-generic.js Loading commit data...
keyed-call-ic.js Loading commit data...
keyed-ic.js Loading commit data...
keyed-storage-extend.js Loading commit data...
keywords-and-reserved_words.js Loading commit data...
large-object-allocation.js Loading commit data...
large-object-literal.js Loading commit data...
lazy-load.js Loading commit data...
lea-add.js Loading commit data...
leakcheck.js Loading commit data...
length.js Loading commit data...
limit-locals.js Loading commit data...
load-callback-from-value-classic.js Loading commit data...
load_poly_effect.js Loading commit data...
local-load-from-eval.js Loading commit data...
logical.js Loading commit data...
math-abs.js Loading commit data...
math-exp-precision.js Loading commit data...
math-floor-negative.js Loading commit data...
math-floor-of-div-minus-zero.js Loading commit data...
math-floor-of-div-nosudiv.js Loading commit data...
math-floor-of-div.js Loading commit data...
math-floor-part1.js Loading commit data...
math-floor-part2.js Loading commit data...
math-floor-part3.js Loading commit data...
math-floor-part4.js Loading commit data...
math-imul.js Loading commit data...
math-min-max.js Loading commit data...
math-pow.js Loading commit data...
math-round.js Loading commit data...
math-sqrt.js Loading commit data...
md5.js Loading commit data...
megamorphic-callbacks.js Loading commit data...
mirror-array.js Loading commit data...
mirror-boolean.js Loading commit data...
mirror-date.js Loading commit data...
mirror-error.js Loading commit data...
mirror-function.js Loading commit data...
mirror-null.js Loading commit data...
mirror-number.js Loading commit data...
mirror-object.js Loading commit data...
mirror-regexp.js Loading commit data...
mirror-script.js Loading commit data...
mirror-string.js Loading commit data...
mirror-undefined.js Loading commit data...
mirror-unresolved-function.js Loading commit data...
mjsunit.js Loading commit data...
mjsunit.status Loading commit data...
mod.js Loading commit data...
mul-exhaustive-part1.js Loading commit data...
mul-exhaustive-part10.js Loading commit data...
mul-exhaustive-part2.js Loading commit data...
mul-exhaustive-part3.js Loading commit data...
mul-exhaustive-part4.js Loading commit data...
mul-exhaustive-part5.js Loading commit data...
mul-exhaustive-part6.js Loading commit data...
mul-exhaustive-part7.js Loading commit data...
mul-exhaustive-part8.js Loading commit data...
mul-exhaustive-part9.js Loading commit data...
multiline.js Loading commit data...
multiple-return.js Loading commit data...
nans.js Loading commit data...
negate-zero.js Loading commit data...
negate.js Loading commit data...
never-optimize.js Loading commit data...
new-function.js Loading commit data...
new-string-add.js Loading commit data...
new.js Loading commit data...
newline-in-string.js Loading commit data...
no-branch-elimination.js Loading commit data...
no-octal-constants-above-256.js Loading commit data...
no-semicolon.js Loading commit data...
non-ascii-replace.js Loading commit data...
not.js Loading commit data...
nul-characters.js Loading commit data...
number-is.js Loading commit data...
number-limits.js Loading commit data...
number-string-index-call.js Loading commit data...
number-tostring-add.js Loading commit data...
number-tostring-func.js Loading commit data...
number-tostring-small.js Loading commit data...
number-tostring.js Loading commit data...
numops-fuzz-part1.js Loading commit data...
numops-fuzz-part2.js Loading commit data...
numops-fuzz-part3.js Loading commit data...
numops-fuzz-part4.js Loading commit data...
obj-construct.js Loading commit data...
object-create.js Loading commit data...
object-define-properties.js Loading commit data...
object-define-property.js Loading commit data...
object-freeze.js Loading commit data...
object-get-own-property-names.js Loading commit data...
object-is.js Loading commit data...
object-literal-conversions.js Loading commit data...
object-literal-gc.js Loading commit data...
object-literal-overwrite.js Loading commit data...
object-literal.js Loading commit data...
object-prevent-extensions.js Loading commit data...
object-seal.js Loading commit data...
object-toprimitive.js Loading commit data...
omit-constant-mapcheck.js Loading commit data...
opt-elements-kind.js Loading commit data...
optimized-typeof.js Loading commit data...
osr-elements-kind.js Loading commit data...
override-read-only-property.js Loading commit data...
packed-elements.js Loading commit data...
parallel-optimize-disabled.js Loading commit data...
parse-int-float.js Loading commit data...
pixel-array-rounding.js Loading commit data...
polymorph-arrays.js Loading commit data...
property-load-across-eval.js Loading commit data...
property-object-key.js Loading commit data...
proto-accessor.js Loading commit data...
proto.js Loading commit data...
prototype.js Loading commit data...
readonly.js Loading commit data...
receiver-in-with-calls.js Loading commit data...
recursive-store-opt.js Loading commit data...
regexp-UC16.js Loading commit data...
regexp-cache-replace.js Loading commit data...
regexp-call-as-function.js Loading commit data...
regexp-capture-3.js Loading commit data...
regexp-capture.js Loading commit data...
regexp-captures.js Loading commit data...
regexp-compile.js Loading commit data...
regexp-global.js Loading commit data...
regexp-indexof.js Loading commit data...
regexp-lookahead.js Loading commit data...
regexp-loop-capture.js Loading commit data...
regexp-multiline.js Loading commit data...
regexp-results-cache.js Loading commit data...
regexp-standalones.js Loading commit data...
regexp-static.js Loading commit data...
regexp-string-methods.js Loading commit data...
regexp.js Loading commit data...
regress-keyed-store-non-strict-arguments.js Loading commit data...
regress-sync-optimized-lists.js Loading commit data...
samevalue.js Loading commit data...
scanner.js Loading commit data...
scope-calls-eval.js Loading commit data...
search-string-multiple.js Loading commit data...
setter-on-constructor-prototype.js Loading commit data...
setters-on-elements.js Loading commit data...
shift-for-integer-div.js Loading commit data...
shifts.js Loading commit data...
short-circuit-boolean.js Loading commit data...
simple-constructor.js Loading commit data...
sin-cos.js Loading commit data...
smi-mul-const.js Loading commit data...
smi-mul.js Loading commit data...
smi-negative-zero.js Loading commit data...
smi-ops-inlined.js Loading commit data...
smi-ops.js Loading commit data...
smi-representation.js Loading commit data...
sparse-array-reverse.js Loading commit data...
sparse-array.js Loading commit data...
stack-traces-2.js Loading commit data...
stack-traces-custom-lazy.js Loading commit data...
stack-traces-overflow.js Loading commit data...
stack-traces.js Loading commit data...
store-dictionary.js Loading commit data...
str-to-num.js Loading commit data...
stress-array-push.js Loading commit data...
strict-equals.js Loading commit data...
strict-mode-eval.js Loading commit data...
strict-mode-implicit-receiver.js Loading commit data...
strict-mode-opt.js Loading commit data...
strict-mode.js Loading commit data...
string-add.js Loading commit data...
string-case.js Loading commit data...
string-charat.js Loading commit data...
string-charcodeat.js Loading commit data...
string-compare-alignment.js Loading commit data...
string-external-cached.js Loading commit data...
string-externalize.js Loading commit data...
string-flatten.js Loading commit data...
string-fromcharcode.js Loading commit data...
string-index.js Loading commit data...
string-indexof-1.js Loading commit data...
string-indexof-2.js Loading commit data...
string-lastindexof.js Loading commit data...
string-localecompare.js Loading commit data...
string-match.js Loading commit data...
string-natives.js Loading commit data...
string-replace-gc.js Loading commit data...
string-replace-one-char.js Loading commit data...
string-replace-with-empty.js Loading commit data...
string-replace.js Loading commit data...
string-search.js Loading commit data...
string-slices-regexp.js Loading commit data...
string-slices.js Loading commit data...
string-split-cache.js Loading commit data...
string-split.js Loading commit data...
substr.js Loading commit data...
sum-0-plus-undefined-is-NaN.js Loading commit data...
switch-opt.js Loading commit data...
switch.js Loading commit data...
test-hidden-string.js Loading commit data...
testcfg.py Loading commit data...
this-in-callbacks.js Loading commit data...
this-property-assignment.js Loading commit data...
this.js Loading commit data...
throw-and-catch-function.js Loading commit data...
throw-exception-for-null-access.js Loading commit data...
to-precision.js Loading commit data...
to_number_order.js Loading commit data...
tobool.js Loading commit data...
toint32.js Loading commit data...
top-level-assignments.js Loading commit data...
touint32.js Loading commit data...
track-fields.js Loading commit data...
transcendentals.js Loading commit data...
transition-elements-kind.js Loading commit data...
try-catch-extension-object.js Loading commit data...
try-catch-scopes.js Loading commit data...
try-finally-continue.js Loading commit data...
try-finally-nested.js Loading commit data...
try.js Loading commit data...
typed-array-slice.js Loading commit data...
typeof.js Loading commit data...
unary-minus-deopt.js Loading commit data...
unbox-double-arrays.js Loading commit data...
undeletable-functions.js Loading commit data...
unicode-case-overoptimization.js Loading commit data...
unicode-string-to-number.js Loading commit data...
unicode-test.js Loading commit data...
unicodelctest-no-optimization.js Loading commit data...
unicodelctest.js Loading commit data...
unusual-constructor.js Loading commit data...
uri.js Loading commit data...
value-callic-prototype-change.js Loading commit data...
value-of.js Loading commit data...
value-wrapper-accessor.js Loading commit data...
value-wrapper.js Loading commit data...
var.js Loading commit data...
verify-assert-false.js Loading commit data...
verify-check-false.js Loading commit data...
whitespaces.js Loading commit data...
with-function-expression.js Loading commit data...
with-leave.js Loading commit data...
with-parameter-access.js Loading commit data...
with-prototype.js Loading commit data...
with-readonly.js Loading commit data...
with-value.js Loading commit data...