Merged: [arm] Fix custom addition in MacroAssembler::[Fast]Allocate

Revision: 87332fd BUG=chromium:663402 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=cbruni@chromium.org Review URL: https://codereview.chromium.org/2500843002 . Cr-Commit-Position: refs/branch-heads/5.5@{v8#42} Cr-Branched-From: 3cbd583-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0c-refs/heads/master@{#40015}
nodejs · Nov 14, 2016 · fb84109 · fb84109
1 parent 14a4417
commit fb84109
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 6 deletions.
diff --git a/src/arm/macro-assembler-arm.cc b/src/arm/macro-assembler-arm.cc
@@ -2046,7 +2046,6 @@ void MacroAssembler::Allocate(int object_size,
   // point, so we cannot just use add().
   DCHECK(object_size > 0);
   Register source = result;
-  Condition cond = al;
   int shift = 0;
   while (object_size != 0) {
     if (((object_size >> shift) & 0x03) == 0) {
@@ -2057,9 +2056,8 @@ void MacroAssembler::Allocate(int object_size,
       shift += 8;
       Operand bits_operand(bits);
       DCHECK(bits_operand.instructions_required(this) == 1);
-      add(result_end, source, bits_operand, LeaveCC, cond);
+      add(result_end, source, bits_operand);
       source = result_end;
-      cond = cc;
     }
   }
 
@@ -2258,7 +2256,6 @@ void MacroAssembler::FastAllocate(int object_size, Register result,
   // this point, so we cannot just use add().
   DCHECK(object_size > 0);
   Register source = result;
-  Condition cond = al;
   int shift = 0;
   while (object_size != 0) {
     if (((object_size >> shift) & 0x03) == 0) {
@@ -2269,9 +2266,8 @@ void MacroAssembler::FastAllocate(int object_size, Register result,
       shift += 8;
       Operand bits_operand(bits);
       DCHECK(bits_operand.instructions_required(this) == 1);
-      add(result_end, source, bits_operand, LeaveCC, cond);
+      add(result_end, source, bits_operand);
       source = result_end;
-      cond = cc;
     }
   }
 

diff --git a/test/mjsunit/regress/regress-crbug-663402.js b/test/mjsunit/regress/regress-crbug-663402.js
@@ -0,0 +1,40 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var g_eval = eval;
+function emit_f(size) {
+  var body = "function f(x) {" +
+             "  if (x < 0) return x;" +
+             "  var a = [1];" +
+             "  if (x > 0) return [";
+  for (var i = 0; i < size; i++) {
+    body += "0.1, ";
+  }
+  body += "  ];" +
+          "  return a;" +
+          "}";
+  g_eval(body);
+}
+
+// Length must be big enough to make the backing store's size not fit into
+// a single instruction's immediate field (2^12).
+var kLength = 701;
+emit_f(kLength);
+f(1);
+f(1);
+%OptimizeFunctionOnNextCall(f);
+var a = f(1);
+
+// Allocating something else should not disturb |a|.
+var b = new Object();
+for (var i = 0; i < kLength; i++) {
+  assertEquals(0.1, a[i]);
+}
+
+// Allocating more should not crash.
+for (var i = 0; i < 300; i++) {
+  f(1);
+}