Status: New
Owner: ----
New issue 1787 by [email protected]: Bug found in
StringDictionaryLookupStub::GeneratePositiveLookup() on Arm
http://code.google.com/p/v8/issues/detail?id=1787
The following lines are near the end of this function:
__ Move(r0, elements);
__ Move(r1, name);
StringDictionaryLookupStub stub(POSITIVE_LOOKUP);
__ CallStub(&stub);
The problem occurs when this stub is called via GenerateDictionaryLoad() in
ic-mips.cc. This function is called 4 times, and on the last call,
currently at line 1090 (in KeyedLoadIC::GenerateGeneric()), it is called
with register r0 as the 'name' (4th) parameter:
GenerateDictionaryLoad(masm, &slow, r3, r0, r0, r2, r4);
In that case, the above code will overwrite r0 with elements before it can
be moved into r1 for the StringDictionaryLookupStub call.
This does not fail in any testcase currently.
I've fixed this bug for mips, as well as another mips-only bug in this
function and am still struggling to get a regression test created for it.
My current fix is an ugly hack, but is local to GeneratePositiveLookup():
if (name.is(a0)) {
ASSERT(!elements.is(a1));
__ Move(a1, name);
__ Move(a0, elements);
} else {
__ Move(a0, elements);
__ Move(a1, name);
}
I suspect it would be better to refactor the caller ....
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
