[v8-dev] Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero exten... (issue 180013002)

Tue, 25 Feb 2014 07:58:23 -0800 

Reviewers: Toon Verwaest,

Message:
PTAL

Description:
Fix for failing asserts in HBoundsCheck code generation on x64: index register 
should be zero extended.

BUG=345820
LOG=N

Please review this at https://codereview.chromium.org/180013002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+21, -2 lines):
  M src/x64/disasm-x64.cc
  M src/x64/lithium-gap-resolver-x64.cc
  A test/mjsunit/regress/regress-crbug-345820.js


Index: src/x64/disasm-x64.cc
diff --git a/src/x64/disasm-x64.cc b/src/x64/disasm-x64.cc
index 0edc305cf43fc404d0a19753117f2442664bb155..dd64d3f5ee4b3a501a850a4b7591c42b7cece2bc 100644 
--- a/src/x64/disasm-x64.cc
+++ b/src/x64/disasm-x64.cc
@@ -1459,7 +1459,8 @@ int DisassemblerX64::InstructionDecode(v8::internal::Vector<char> out_buffer, 
           data += 3;
           break;
         case OPERAND_DOUBLEWORD_SIZE:
- addr = reinterpret_cast<byte*>(*reinterpret_cast<int32_t*>(data + 1)); 
+          addr =
+ reinterpret_cast<byte*>(*reinterpret_cast<uint32_t*>(data + 1)); 
           data += 5;
           break;
         case OPERAND_QUADWORD_SIZE:
Index: src/x64/lithium-gap-resolver-x64.cc
diff --git a/src/x64/lithium-gap-resolver-x64.cc b/src/x64/lithium-gap-resolver-x64.cc index 5b4e32d2c44cec51bbe3b6f8684addd610272614..c3bfd9e61203243d53023ae064bbd5b3dbe41eee 100644 
--- a/src/x64/lithium-gap-resolver-x64.cc
+++ b/src/x64/lithium-gap-resolver-x64.cc
@@ -198,7 +198,7 @@ void LGapResolver::EmitMove(int index) {
       if (cgen_->IsSmiConstant(constant_source)) {
         __ Move(dst, cgen_->ToSmi(constant_source));
       } else if (cgen_->IsInteger32Constant(constant_source)) {
-        __ Set(dst, cgen_->ToInteger32(constant_source));
+ __ Set(dst, static_cast<uint32_t>(cgen_->ToInteger32(constant_source))); 
       } else {
         __ Move(dst, cgen_->ToHandle(constant_source));
       }
Index: test/mjsunit/regress/regress-crbug-345820.js
diff --git a/test/mjsunit/regress/regress-crbug-345820.js b/test/mjsunit/regress/regress-crbug-345820.js 
new file mode 100644
index 0000000000000000000000000000000000000000..bdd0af9b12db3340263c47f40e3d0b5f1eb84172 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-345820.js
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code
+
+var __v_6 = {};
+__v_6 = new Int32Array(5);
+for (var i = 0; i < __v_6.length; i++) __v_6[i] = 0;
+
+function __f_7(N) {
+  for (var i = -1; i < N; i++) {
+    __v_6[i] = i;
+  }
+}
+__f_7(1);
+%OptimizeFunctionOnNextCall(__f_7);
+__f_7(__v_6.length);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to