Revision: 20098
Author: u...@chromium.org
Date: Thu Mar 20 08:32:58 2014 UTC
Log: A64: Fix write barrier input in
KeyedStoreIC::GenerateSloppyArguments.
This fixes flaky crashes in gc-stress bot:
Fatal error in ../src/incremental-marking.cc, line 84
CHECK(obj->IsHeapObject()) failed
BUG=353551
LOG=N
TEST=test/mjsunit/regress/regress-353551.js
R=m.m.capew...@googlemail.com
Review URL: https://codereview.chromium.org/204453002
http://code.google.com/p/v8/source/detail?r=20098
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-353551.js
Modified:
/branches/bleeding_edge/src/a64/ic-a64.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-353551.js Thu Mar
20 08:32:58 2014 UTC
@@ -0,0 +1,40 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var depth = 0;
+function __f_3(x) {
+ var __v_1 = arguments;
+ __v_1[1000] = 123;
+ depth++;
+ if (depth > 3000) return;
+ function __f_4() {
+ ++__v_1[0];
+ __f_3(0.5);
+ };
+ __f_4();
+}
+__f_3(0.5);
=======================================
--- /branches/bleeding_edge/src/a64/ic-a64.cc Tue Mar 11 15:50:01 2014 UTC
+++ /branches/bleeding_edge/src/a64/ic-a64.cc Thu Mar 20 08:32:58 2014 UTC
@@ -392,8 +392,11 @@
// Load value from context and return it.
__ Ldr(scratch2, FieldMemOperand(map, FixedArray::kHeaderSize));
__ SmiUntag(scratch1);
- __ Add(scratch2, scratch2, Context::kHeaderSize - kHeapObjectTag);
- return MemOperand(scratch2, scratch1, LSL, kPointerSizeLog2);
+ __ Lsl(scratch1, scratch1, kPointerSizeLog2);
+ __ Add(scratch1, scratch1, Context::kHeaderSize - kHeapObjectTag);
+ // The base of the result (scratch2) is passed to RecordWrite in
+ // KeyedStoreIC::GenerateSloppyArguments and it must be a HeapObject.
+ return MemOperand(scratch2, scratch1);
}
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
