Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(26)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/arm/codegen-arm.cc

Issue 6682026: Fix SmiCompare on 64 bit to distinguish between comparisons where... (Closed) Base URL: http://v8.googlecode.com/svn/branches/bleeding_edge/
Patch Set: '' Created 9 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« src/arm/code-stubs-arm.cc ('K') | « src/arm/code-stubs-arm.cc ('k') | src/arm/full-codegen-arm.cc » ('j') | src/ia32/full-codegen-ia32.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/arm/codegen-arm.cc
===================================================================
--- src/arm/codegen-arm.cc (revision 7153)
+++ src/arm/codegen-arm.cc (working copy)
@@ -5584,8 +5584,8 @@
// Fetch the map and check if array is in fast case.
// Check that object doesn't require security checks and
// has no indexed interceptor.
- __ CompareObjectType(object, tmp1, tmp2, FIRST_JS_OBJECT_TYPE);
- deferred->Branch(lt);
+ __ CompareObjectType(object, tmp1, tmp2, JS_ARRAY_TYPE);
+ deferred->Branch(ne);
__ ldrb(tmp2, FieldMemOperand(tmp1, Map::kBitFieldOffset));
__ tst(tmp2, Operand(KeyedLoadIC::kSlowCaseBitFieldMask));
deferred->Branch(ne);
@@ -7139,7 +7139,6 @@
scratch1, scratch2);
-
// Load the value, key and receiver from the stack.
bool value_is_harmless = frame_->KnownSmiAt(0);
if (wb_info == NEVER_NEWSPACE) value_is_harmless = true;
@@ -7187,12 +7186,6 @@
__ CompareObjectType(receiver, scratch1, scratch1, JS_ARRAY_TYPE);
deferred->Branch(ne);
- // Check that the key is within bounds. Both the key and the length of
- // the JSArray are smis. Use unsigned comparison to handle negative keys.
- __ ldr(scratch1, FieldMemOperand(receiver, JSArray::kLengthOffset));
- __ cmp(scratch1, key);
- deferred->Branch(ls); // Unsigned less equal.
-
// Get the elements array from the receiver.
__ ldr(scratch1, FieldMemOperand(receiver, JSObject::kElementsOffset));
if (!value_is_harmless && wb_info != LIKELY_SMI) {
@@ -7207,6 +7200,13 @@
}
// Check that the elements array is not a dictionary.
__ ldr(scratch2, FieldMemOperand(scratch1, JSObject::kMapOffset));
+
+ // Check that the key is within bounds. Both the key and the length of
+ // the JSArray are smis. Use unsigned comparison to handle negative keys.
+ __ ldr(scratch1, FieldMemOperand(receiver, JSArray::kLengthOffset));
+ __ cmp(scratch1, key);
+ deferred->Branch(ls); // Unsigned less equal.
+
Lasse Reichstein 2011/03/15 09:07:01 Add to the comment that we know the length is a sm
Lasse Reichstein 2011/03/15 09:07:01 This code now clobbers scratch1 which is assumed t
Erik Corry 2011/03/15 10:00:50 Nice catch. The tests missed this because this wh
Erik Corry 2011/03/15 10:00:50 Done.
// The following instructions are the part of the inlined store keyed
// property code which can be patched. Therefore the exact number of
// instructions generated need to be fixed, so the constant pool is blocked
« src/arm/code-stubs-arm.cc ('K') | « src/arm/code-stubs-arm.cc ('k') | src/arm/full-codegen-arm.cc » ('j') | src/ia32/full-codegen-ia32.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698