[v8-dev] [v8] r14777 committed - Fix embedded new-space pointer in LCmpObjectEqAndBranch....

codesite-noreply Thu, 23 May 2013 07:35:14 -0700

Revision: 14777
Author:   [email protected]
Date:     Thu May 23 07:06:28 2013
Log:      Fix embedded new-space pointer in LCmpObjectEqAndBranch.


[email protected]
BUG=chromium:240032
TEST=mjsunit/regress/regress-crbug-240032

Review URL: https://codereview.chromium.org/15779004
http://code.google.com/p/v8/source/detail?r=14777

Added:
 /branches/bleeding_edge/test/mjsunit/regress/regress-crbug-240032.js
Modified:
 /branches/bleeding_edge/src/ia32/lithium-codegen-ia32.cc
 /branches/bleeding_edge/src/ia32/macro-assembler-ia32.cc
 /branches/bleeding_edge/src/ia32/macro-assembler-ia32.h
 /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc
 /branches/bleeding_edge/src/x64/macro-assembler-x64.cc
 /branches/bleeding_edge/src/x64/macro-assembler-x64.h

=======================================
--- /dev/null

+++ /branches/bleeding_edge/test/mjsunit/regress/regress-crbug-240032.jsThu May 23 07:06:28 2013

@@ -0,0 +1,48 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+// Generate closures in that live in new-space.
+function mk() {
+  return function() {};
+}
+assertInstanceof(mk(), Function);
+assertInstanceof(mk(), Function);
+
+// Setup constant function using above closures.
+var o = {};
+o.func = mk();
+
+// Optimize object comparison with new-space RHS.
+function cmp(o, f) {
+  return f === o.func;
+}
+assertTrue(cmp(o, o.func));
+assertTrue(cmp(o, o.func));
+%OptimizeFunctionOnNextCall(cmp);
+assertTrue(cmp(o, o.func));
=======================================

--- /branches/bleeding_edge/src/ia32/lithium-codegen-ia32.cc Thu May 2302:51:06 2013+++ /branches/bleeding_edge/src/ia32/lithium-codegen-ia32.cc Thu May 2307:06:28 2013

@@ -2325,10 +2325,11 @@
   int true_block = chunk_->LookupDestination(instr->true_block_id());

   if (instr->right()->IsConstantOperand()) {
-    __ cmp(left, ToHandle(LConstantOperand::cast(instr->right())));

+ Handle<Object> right =ToHandle(LConstantOperand::cast(instr->right()));

+    __ CmpObject(left, right);
   } else {
     Operand right = ToOperand(instr->right());
-    __ cmp(left, Operand(right));
+    __ cmp(left, right);
   }
   EmitBranch(true_block, false_block, equal);
 }
=======================================

--- /branches/bleeding_edge/src/ia32/macro-assembler-ia32.cc Thu May 2302:19:18 2013+++ /branches/bleeding_edge/src/ia32/macro-assembler-ia32.cc Thu May 2307:06:28 2013

@@ -2502,6 +2502,18 @@
     mov(result, object);
   }
 }
+
+

+void MacroAssembler::CmpHeapObject(Register reg, Handle<HeapObject>object) {

+  ALLOW_HANDLE_DEREF(isolate(), "using raw address");
+  if (isolate()->heap()->InNewSpace(*object)) {
+    Handle<JSGlobalPropertyCell> cell =
+        isolate()->factory()->NewJSGlobalPropertyCell(object);
+    cmp(reg, Operand::Cell(cell));
+  } else {
+    cmp(reg, object);
+  }
+}


 void MacroAssembler::PushHeapObject(Handle<HeapObject> object) {
=======================================

--- /branches/bleeding_edge/src/ia32/macro-assembler-ia32.h Thu May 2302:19:18 2013+++ /branches/bleeding_edge/src/ia32/macro-assembler-ia32.h Thu May 2307:06:28 2013

@@ -272,6 +272,7 @@
   void LoadFromSafepointRegisterSlot(Register dst, Register src);

   void LoadHeapObject(Register result, Handle<HeapObject> object);
+  void CmpHeapObject(Register reg, Handle<HeapObject> object);
   void PushHeapObject(Handle<HeapObject> object);

   void LoadObject(Register result, Handle<Object> object) {
@@ -282,6 +283,15 @@
       Set(result, Immediate(object));
     }
   }
+
+  void CmpObject(Register reg, Handle<Object> object) {
+    ALLOW_HANDLE_DEREF(isolate(), "heap object check");
+    if (object->IsHeapObject()) {
+      CmpHeapObject(reg, Handle<HeapObject>::cast(object));
+    } else {
+      cmp(reg, Immediate(object));
+    }
+  }

//---------------------------------------------------------------------------

   // JavaScript invokes
=======================================

--- /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc Thu May 2302:51:06 2013+++ /branches/bleeding_edge/src/x64/lithium-codegen-x64.cc Thu May 2307:06:28 2013

@@ -2103,9 +2103,11 @@
   int true_block = chunk_->LookupDestination(instr->true_block_id());

   if (instr->right()->IsConstantOperand()) {
-    __ Cmp(left, ToHandle(LConstantOperand::cast(instr->right())));

+ Handle<Object> right =ToHandle(LConstantOperand::cast(instr->right()));

+    __ CmpObject(left, right);
   } else {
-    __ cmpq(left, ToRegister(instr->right()));
+    Register right = ToRegister(instr->right());
+    __ cmpq(left, right);
   }
   EmitBranch(true_block, false_block, equal);
 }
@@ -4974,15 +4976,7 @@
 void LCodeGen::DoCheckFunction(LCheckFunction* instr) {
   Register reg = ToRegister(instr->value());
   Handle<JSFunction> target = instr->hydrogen()->target();
-  ALLOW_HANDLE_DEREF(isolate(), "using raw address");
-  if (isolate()->heap()->InNewSpace(*target)) {
-    Handle<JSGlobalPropertyCell> cell =
-        isolate()->factory()->NewJSGlobalPropertyCell(target);
-    __ movq(kScratchRegister, cell, RelocInfo::GLOBAL_PROPERTY_CELL);
-    __ cmpq(reg, Operand(kScratchRegister, 0));
-  } else {
-    __ Cmp(reg, target);
-  }
+  __ CmpHeapObject(reg, target);
   DeoptimizeIf(not_equal, instr->environment());
 }

=======================================

--- /branches/bleeding_edge/src/x64/macro-assembler-x64.cc Thu May 2302:19:18 2013+++ /branches/bleeding_edge/src/x64/macro-assembler-x64.cc Thu May 2307:06:28 2013

@@ -2299,6 +2299,7 @@
   if (source->IsSmi()) {
     Move(dst, Smi::cast(*source));
   } else {
+    ASSERT(source->IsHeapObject());
     movq(dst, source, RelocInfo::EMBEDDED_OBJECT);
   }
 }
@@ -2309,6 +2310,7 @@
   if (source->IsSmi()) {
     Move(dst, Smi::cast(*source));
   } else {
+    ASSERT(source->IsHeapObject());
     movq(kScratchRegister, source, RelocInfo::EMBEDDED_OBJECT);
     movq(dst, kScratchRegister);
   }
@@ -2320,7 +2322,8 @@
   if (source->IsSmi()) {
     Cmp(dst, Smi::cast(*source));
   } else {
-    Move(kScratchRegister, source);
+    ASSERT(source->IsHeapObject());
+    movq(kScratchRegister, source, RelocInfo::EMBEDDED_OBJECT);
     cmpq(dst, kScratchRegister);
   }
 }
@@ -2362,6 +2365,19 @@
     Move(result, object);
   }
 }
+
+

+void MacroAssembler::CmpHeapObject(Register reg, Handle<HeapObject>object) {

+  ALLOW_HANDLE_DEREF(isolate(), "using raw address");
+  if (isolate()->heap()->InNewSpace(*object)) {
+    Handle<JSGlobalPropertyCell> cell =
+        isolate()->factory()->NewJSGlobalPropertyCell(object);
+    movq(kScratchRegister, cell, RelocInfo::GLOBAL_PROPERTY_CELL);
+    cmpq(reg, Operand(kScratchRegister, 0));
+  } else {
+    Cmp(reg, object);
+  }
+}


 void MacroAssembler::PushHeapObject(Handle<HeapObject> object) {
=======================================

--- /branches/bleeding_edge/src/x64/macro-assembler-x64.h Thu May 2302:19:18 2013+++ /branches/bleeding_edge/src/x64/macro-assembler-x64.h Thu May 2307:06:28 2013

@@ -788,6 +788,7 @@
   // Load a heap object and handle the case of new-space objects by
   // indirecting via a global cell.
   void LoadHeapObject(Register result, Handle<HeapObject> object);
+  void CmpHeapObject(Register reg, Handle<HeapObject> object);
   void PushHeapObject(Handle<HeapObject> object);

   void LoadObject(Register result, Handle<Object> object) {
@@ -798,6 +799,15 @@
       Move(result, object);
     }
   }
+
+  void CmpObject(Register reg, Handle<Object> object) {
+    ALLOW_HANDLE_DEREF(isolate(), "heap object check");
+    if (object->IsHeapObject()) {
+      CmpHeapObject(reg, Handle<HeapObject>::cast(object));
+    } else {
+      Cmp(reg, object);
+    }
+  }

   // Load a global cell into a register.
   void LoadGlobalCell(Register dst, Handle<JSGlobalPropertyCell> cell);

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

---You received this message because you are subscribed to the Google Groups "v8-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[v8-dev] [v8] r14777 committed - Fix embedded new-space pointer in LCmpObjectEqAndBranch....

Reply via email to