Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6)

Side by Side Diff: src/x64/stub-cache-x64.cc

Issue 7672014: Bugs in x64 ICs introduced by array length refactor. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 9 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2011 the V8 project authors. All rights reserved. 1 // Copyright 2011 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 3225 matching lines...) Expand 10 before | Expand all | Expand 10 after
3236 Label slow, miss_force_generic; 3236 Label slow, miss_force_generic;
3237 3237
3238 // This stub is meant to be tail-jumped to, the receiver must already 3238 // This stub is meant to be tail-jumped to, the receiver must already
3239 // have been verified by the caller to not be a smi. 3239 // have been verified by the caller to not be a smi.
3240 3240
3241 // Check that the key is a smi. 3241 // Check that the key is a smi.
3242 __ JumpIfNotSmi(rax, &miss_force_generic); 3242 __ JumpIfNotSmi(rax, &miss_force_generic);
3243 3243
3244 // Check that the index is in range. 3244 // Check that the index is in range.
3245 __ movq(rbx, FieldOperand(rdx, JSObject::kElementsOffset)); 3245 __ movq(rbx, FieldOperand(rdx, JSObject::kElementsOffset));
3246 __ cmpl(rax, FieldOperand(rbx, ExternalArray::kLengthOffset)); 3246 __ SmiToInteger32(rcx, rax);
3247 __ cmpq(rax, FieldOperand(rbx, ExternalArray::kLengthOffset));
3247 // Unsigned comparison catches both negative and too-large values. 3248 // Unsigned comparison catches both negative and too-large values.
3248 __ j(above_equal, &miss_force_generic); 3249 __ j(above_equal, &miss_force_generic);
3249 3250
3250 // rax: index (as a smi) 3251 // rax: index (as a smi)
3251 // rdx: receiver (JSObject) 3252 // rdx: receiver (JSObject)
3252 // rcx: untagged index 3253 // rcx: untagged index
3253 // rbx: elements array 3254 // rbx: elements array
3254 __ movq(rbx, FieldOperand(rbx, ExternalArray::kExternalPointerOffset)); 3255 __ movq(rbx, FieldOperand(rbx, ExternalArray::kExternalPointerOffset));
3255 // rbx: base pointer of external storage 3256 // rbx: base pointer of external storage
3256 switch (elements_kind) { 3257 switch (elements_kind) {
3257 case JSObject::EXTERNAL_BYTE_ELEMENTS: 3258 case JSObject::EXTERNAL_BYTE_ELEMENTS:
3258 __ SmiToInteger32(rcx, rax);
3259 __ movsxbq(rcx, Operand(rbx, rcx, times_1, 0)); 3259 __ movsxbq(rcx, Operand(rbx, rcx, times_1, 0));
3260 break; 3260 break;
3261 case JSObject::EXTERNAL_PIXEL_ELEMENTS: 3261 case JSObject::EXTERNAL_PIXEL_ELEMENTS:
3262 case JSObject::EXTERNAL_UNSIGNED_BYTE_ELEMENTS: 3262 case JSObject::EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
3263 __ SmiToInteger32(rcx, rax);
3264 __ movzxbq(rcx, Operand(rbx, rcx, times_1, 0)); 3263 __ movzxbq(rcx, Operand(rbx, rcx, times_1, 0));
3265 break; 3264 break;
3266 case JSObject::EXTERNAL_SHORT_ELEMENTS: 3265 case JSObject::EXTERNAL_SHORT_ELEMENTS:
3267 __ movsxwq(rcx, Operand(rbx, rax, times_1, 0)); 3266 __ movsxwq(rcx, Operand(rbx, rcx, times_2, 0));
3268 break; 3267 break;
3269 case JSObject::EXTERNAL_UNSIGNED_SHORT_ELEMENTS: 3268 case JSObject::EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
3270 __ movzxwq(rcx, Operand(rbx, rax, times_1, 0)); 3269 __ movzxwq(rcx, Operand(rbx, rcx, times_2, 0));
3271 break; 3270 break;
3272 case JSObject::EXTERNAL_INT_ELEMENTS: 3271 case JSObject::EXTERNAL_INT_ELEMENTS:
3273 __ movsxlq(rcx, Operand(rbx, rax, times_2, 0)); 3272 __ movsxlq(rcx, Operand(rbx, rcx, times_4, 0));
3274 break; 3273 break;
3275 case JSObject::EXTERNAL_UNSIGNED_INT_ELEMENTS: 3274 case JSObject::EXTERNAL_UNSIGNED_INT_ELEMENTS:
3276 __ movl(rcx, Operand(rbx, rax, times_2, 0)); 3275 __ movl(rcx, Operand(rbx, rcx, times_4, 0));
3277 break; 3276 break;
3278 case JSObject::EXTERNAL_FLOAT_ELEMENTS: 3277 case JSObject::EXTERNAL_FLOAT_ELEMENTS:
3279 __ cvtss2sd(xmm0, Operand(rbx, rax, times_2, 0)); 3278 __ cvtss2sd(xmm0, Operand(rbx, rcx, times_4, 0));
3280 break; 3279 break;
3281 case JSObject::EXTERNAL_DOUBLE_ELEMENTS: 3280 case JSObject::EXTERNAL_DOUBLE_ELEMENTS:
3282 __ movsd(xmm0, Operand(rbx, rax, times_4, 0)); 3281 __ movsd(xmm0, Operand(rbx, rcx, times_8, 0));
3283 break; 3282 break;
3284 default: 3283 default:
3285 UNREACHABLE(); 3284 UNREACHABLE();
3286 break; 3285 break;
3287 } 3286 }
3288 3287
3289 // rax: index 3288 // rax: index
3290 // rdx: receiver 3289 // rdx: receiver
3291 // For integer array types: 3290 // For integer array types:
3292 // rcx: value 3291 // rcx: value
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
3372 Label slow, miss_force_generic; 3371 Label slow, miss_force_generic;
3373 3372
3374 // This stub is meant to be tail-jumped to, the receiver must already 3373 // This stub is meant to be tail-jumped to, the receiver must already
3375 // have been verified by the caller to not be a smi. 3374 // have been verified by the caller to not be a smi.
3376 3375
3377 // Check that the key is a smi. 3376 // Check that the key is a smi.
3378 __ JumpIfNotSmi(rcx, &miss_force_generic); 3377 __ JumpIfNotSmi(rcx, &miss_force_generic);
3379 3378
3380 // Check that the index is in range. 3379 // Check that the index is in range.
3381 __ movq(rbx, FieldOperand(rdx, JSObject::kElementsOffset)); 3380 __ movq(rbx, FieldOperand(rdx, JSObject::kElementsOffset));
3382 __ cmpl(rcx, FieldOperand(rbx, ExternalArray::kLengthOffset)); 3381 __ SmiToInteger32(rdi, rcx); // Untag the index.
3382 __ cmpq(rcx, FieldOperand(rbx, ExternalArray::kLengthOffset));
3383 // Unsigned comparison catches both negative and too-large values. 3383 // Unsigned comparison catches both negative and too-large values.
3384 __ j(above_equal, &miss_force_generic); 3384 __ j(above_equal, &miss_force_generic);
3385 3385
3386 // Handle both smis and HeapNumbers in the fast path. Go to the 3386 // Handle both smis and HeapNumbers in the fast path. Go to the
3387 // runtime for all other kinds of values. 3387 // runtime for all other kinds of values.
3388 // rax: value 3388 // rax: value
3389 // rcx: key (a smi) 3389 // rcx: key (a smi)
3390 // rdx: receiver (a JSObject) 3390 // rdx: receiver (a JSObject)
3391 // rbx: elements array 3391 // rbx: elements array
3392 // rdi: untagged key
3392 Label check_heap_number; 3393 Label check_heap_number;
3393 if (elements_kind == JSObject::EXTERNAL_PIXEL_ELEMENTS) { 3394 if (elements_kind == JSObject::EXTERNAL_PIXEL_ELEMENTS) {
3394 // Float to pixel conversion is only implemented in the runtime for now. 3395 // Float to pixel conversion is only implemented in the runtime for now.
3395 __ JumpIfNotSmi(rax, &slow); 3396 __ JumpIfNotSmi(rax, &slow);
3396 } else { 3397 } else {
3397 __ JumpIfNotSmi(rax, &check_heap_number, Label::kNear); 3398 __ JumpIfNotSmi(rax, &check_heap_number, Label::kNear);
3398 } 3399 }
3399 // No more branches to slow case on this path. Key and receiver not needed. 3400 // No more branches to slow case on this path. Key and receiver not needed.
3400 __ SmiToInteger32(rdx, rax); 3401 __ SmiToInteger32(rdx, rax);
3401 __ movq(rbx, FieldOperand(rbx, ExternalArray::kExternalPointerOffset)); 3402 __ movq(rbx, FieldOperand(rbx, ExternalArray::kExternalPointerOffset));
3402 // rbx: base pointer of external storage 3403 // rbx: base pointer of external storage
3403 switch (elements_kind) { 3404 switch (elements_kind) {
3404 case JSObject::EXTERNAL_PIXEL_ELEMENTS: 3405 case JSObject::EXTERNAL_PIXEL_ELEMENTS:
3405 __ ClampUint8(rdx); 3406 { // Clamp the value to [0..255].
3406 __ SmiToInteger32(rdi, rcx); 3407 Label done;
3408 __ testl(rdx, Immediate(0xFFFFFF00));
3409 __ j(zero, &done, Label::kNear);
3410 __ setcc(negative, rdx); // 1 if negative, 0 if positive.
3411 __ decb(rdx); // 0 if negative, 255 if positive.
3412 __ bind(&done);
3413 }
3407 __ movb(Operand(rbx, rdi, times_1, 0), rdx); 3414 __ movb(Operand(rbx, rdi, times_1, 0), rdx);
3408 break; 3415 break;
3409 case JSObject::EXTERNAL_BYTE_ELEMENTS: 3416 case JSObject::EXTERNAL_BYTE_ELEMENTS:
3410 case JSObject::EXTERNAL_UNSIGNED_BYTE_ELEMENTS: 3417 case JSObject::EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
3411 __ SmiToInteger32(rdi, rcx);
3412 __ movb(Operand(rbx, rdi, times_1, 0), rdx); 3418 __ movb(Operand(rbx, rdi, times_1, 0), rdx);
3413 break; 3419 break;
3414 case JSObject::EXTERNAL_SHORT_ELEMENTS: 3420 case JSObject::EXTERNAL_SHORT_ELEMENTS:
3415 case JSObject::EXTERNAL_UNSIGNED_SHORT_ELEMENTS: 3421 case JSObject::EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
3416 __ movw(Operand(rbx, rcx, times_1, 0), rdx); 3422 __ movw(Operand(rbx, rdi, times_2, 0), rdx);
3417 break; 3423 break;
3418 case JSObject::EXTERNAL_INT_ELEMENTS: 3424 case JSObject::EXTERNAL_INT_ELEMENTS:
3419 case JSObject::EXTERNAL_UNSIGNED_INT_ELEMENTS: 3425 case JSObject::EXTERNAL_UNSIGNED_INT_ELEMENTS:
3420 __ movl(Operand(rbx, rcx, times_2, 0), rdx); 3426 __ movl(Operand(rbx, rdi, times_4, 0), rdx);
3421 break; 3427 break;
3422 case JSObject::EXTERNAL_FLOAT_ELEMENTS: 3428 case JSObject::EXTERNAL_FLOAT_ELEMENTS:
3423 // Need to perform int-to-float conversion. 3429 // Need to perform int-to-float conversion.
3424 __ cvtlsi2ss(xmm0, rdx); 3430 __ cvtlsi2ss(xmm0, rdx);
3425 __ movss(Operand(rbx, rcx, times_2, 0), xmm0); 3431 __ movss(Operand(rbx, rdi, times_4, 0), xmm0);
3426 break; 3432 break;
3427 case JSObject::EXTERNAL_DOUBLE_ELEMENTS: 3433 case JSObject::EXTERNAL_DOUBLE_ELEMENTS:
3428 // Need to perform int-to-float conversion. 3434 // Need to perform int-to-float conversion.
3429 __ cvtlsi2sd(xmm0, rdx); 3435 __ cvtlsi2sd(xmm0, rdx);
3430 __ movsd(Operand(rbx, rcx, times_4, 0), xmm0); 3436 __ movsd(Operand(rbx, rdi, times_8, 0), xmm0);
3431 break; 3437 break;
3432 case JSObject::FAST_ELEMENTS: 3438 case JSObject::FAST_ELEMENTS:
3433 case JSObject::FAST_DOUBLE_ELEMENTS: 3439 case JSObject::FAST_DOUBLE_ELEMENTS:
3434 case JSObject::DICTIONARY_ELEMENTS: 3440 case JSObject::DICTIONARY_ELEMENTS:
3435 case JSObject::NON_STRICT_ARGUMENTS_ELEMENTS: 3441 case JSObject::NON_STRICT_ARGUMENTS_ELEMENTS:
3436 UNREACHABLE(); 3442 UNREACHABLE();
3437 break; 3443 break;
3438 } 3444 }
3439 __ ret(0); 3445 __ ret(0);
3440 3446
3441 // TODO(danno): handle heap number -> pixel array conversion 3447 // TODO(danno): handle heap number -> pixel array conversion
3442 if (elements_kind != JSObject::EXTERNAL_PIXEL_ELEMENTS) { 3448 if (elements_kind != JSObject::EXTERNAL_PIXEL_ELEMENTS) {
3443 __ bind(&check_heap_number); 3449 __ bind(&check_heap_number);
3444 // rax: value 3450 // rax: value
3445 // rcx: key (a smi) 3451 // rcx: key (a smi)
3446 // rdx: receiver (a JSObject) 3452 // rdx: receiver (a JSObject)
3447 // rbx: elements array 3453 // rbx: elements array
3454 // rdi: untagged key
3448 __ CmpObjectType(rax, HEAP_NUMBER_TYPE, kScratchRegister); 3455 __ CmpObjectType(rax, HEAP_NUMBER_TYPE, kScratchRegister);
3449 __ j(not_equal, &slow); 3456 __ j(not_equal, &slow);
3450 // No more branches to slow case on this path. 3457 // No more branches to slow case on this path.
3451 3458
3452 // The WebGL specification leaves the behavior of storing NaN and 3459 // The WebGL specification leaves the behavior of storing NaN and
3453 // +/-Infinity into integer arrays basically undefined. For more 3460 // +/-Infinity into integer arrays basically undefined. For more
3454 // reproducible behavior, convert these to zero. 3461 // reproducible behavior, convert these to zero.
3455 __ movsd(xmm0, FieldOperand(rax, HeapNumber::kValueOffset)); 3462 __ movsd(xmm0, FieldOperand(rax, HeapNumber::kValueOffset));
3456 __ movq(rbx, FieldOperand(rbx, ExternalArray::kExternalPointerOffset)); 3463 __ movq(rbx, FieldOperand(rbx, ExternalArray::kExternalPointerOffset));
3464 // rdi: untagged index
3457 // rbx: base pointer of external storage 3465 // rbx: base pointer of external storage
3458 // rcx: key
3459 // top of FPU stack: value 3466 // top of FPU stack: value
3460 if (elements_kind == JSObject::EXTERNAL_FLOAT_ELEMENTS) { 3467 if (elements_kind == JSObject::EXTERNAL_FLOAT_ELEMENTS) {
3461 __ cvtsd2ss(xmm0, xmm0); 3468 __ cvtsd2ss(xmm0, xmm0);
3462 __ movss(Operand(rbx, rcx, times_2, 0), xmm0); 3469 __ movss(Operand(rbx, rdi, times_4, 0), xmm0);
3463 __ ret(0); 3470 __ ret(0);
3464 } else if (elements_kind == JSObject::EXTERNAL_DOUBLE_ELEMENTS) { 3471 } else if (elements_kind == JSObject::EXTERNAL_DOUBLE_ELEMENTS) {
3465 __ movsd(Operand(rbx, rcx, times_4, 0), xmm0); 3472 __ movsd(Operand(rbx, rdi, times_8, 0), xmm0);
3466 __ ret(0); 3473 __ ret(0);
3467 } else { 3474 } else {
3468 // Perform float-to-int conversion with truncation (round-to-zero) 3475 // Perform float-to-int conversion with truncation (round-to-zero)
3469 // behavior. 3476 // behavior.
3470 3477
3471 // Convert to int32 and store the low byte/word. 3478 // Convert to int32 and store the low byte/word.
3472 // If the value is NaN or +/-infinity, the result is 0x80000000, 3479 // If the value is NaN or +/-infinity, the result is 0x80000000,
3473 // which is automatically zero when taken mod 2^n, n < 32. 3480 // which is automatically zero when taken mod 2^n, n < 32.
3474 // rdx: value (converted to an untagged integer) 3481 // rdx: value (converted to an untagged integer)
3475 // rdi: untagged index 3482 // rdi: untagged index
3476 // rbx: base pointer of external storage 3483 // rbx: base pointer of external storage
3477 switch (elements_kind) { 3484 switch (elements_kind) {
3478 case JSObject::EXTERNAL_PIXEL_ELEMENTS:
3479 __ ClampUint8(rdx);
3480 __ cvttsd2si(rdx, xmm0);
3481 __ SmiToInteger32(rdi, rcx);
3482 __ movb(Operand(rbx, rdi, times_1, 0), rdx);
3483 break;
3484 case JSObject::EXTERNAL_BYTE_ELEMENTS: 3485 case JSObject::EXTERNAL_BYTE_ELEMENTS:
3485 case JSObject::EXTERNAL_UNSIGNED_BYTE_ELEMENTS: 3486 case JSObject::EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
3486 __ cvttsd2si(rdx, xmm0); 3487 __ cvttsd2si(rdx, xmm0);
3487 __ SmiToInteger32(rdi, rcx);
3488 __ movb(Operand(rbx, rdi, times_1, 0), rdx); 3488 __ movb(Operand(rbx, rdi, times_1, 0), rdx);
3489 break; 3489 break;
3490 case JSObject::EXTERNAL_SHORT_ELEMENTS: 3490 case JSObject::EXTERNAL_SHORT_ELEMENTS:
3491 case JSObject::EXTERNAL_UNSIGNED_SHORT_ELEMENTS: 3491 case JSObject::EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
3492 __ cvttsd2si(rdx, xmm0); 3492 __ cvttsd2si(rdx, xmm0);
3493 __ SmiToInteger32(rdi, rcx); 3493 __ movw(Operand(rbx, rdi, times_2, 0), rdx);
3494 __ movw(Operand(rbx, rcx, times_1, 0), rdx);
3495 break; 3494 break;
3496 case JSObject::EXTERNAL_INT_ELEMENTS: 3495 case JSObject::EXTERNAL_INT_ELEMENTS:
3497 case JSObject::EXTERNAL_UNSIGNED_INT_ELEMENTS: 3496 case JSObject::EXTERNAL_UNSIGNED_INT_ELEMENTS:
3498 // Convert to int64, so that NaN and infinities become 3497 // Convert to int64, so that NaN and infinities become
3499 // 0x8000000000000000, which is zero mod 2^32. 3498 // 0x8000000000000000, which is zero mod 2^32.
3500 __ cvttsd2siq(rdx, xmm0); 3499 __ cvttsd2siq(rdx, xmm0);
3501 __ movl(Operand(rbx, rcx, times_2, 0), rdx); 3500 __ movl(Operand(rbx, rdi, times_4, 0), rdx);
3502 break; 3501 break;
3502 case JSObject::EXTERNAL_PIXEL_ELEMENTS:
3503 case JSObject::EXTERNAL_FLOAT_ELEMENTS: 3503 case JSObject::EXTERNAL_FLOAT_ELEMENTS:
3504 case JSObject::EXTERNAL_DOUBLE_ELEMENTS: 3504 case JSObject::EXTERNAL_DOUBLE_ELEMENTS:
3505 case JSObject::FAST_ELEMENTS: 3505 case JSObject::FAST_ELEMENTS:
3506 case JSObject::FAST_DOUBLE_ELEMENTS: 3506 case JSObject::FAST_DOUBLE_ELEMENTS:
3507 case JSObject::DICTIONARY_ELEMENTS: 3507 case JSObject::DICTIONARY_ELEMENTS:
3508 case JSObject::NON_STRICT_ARGUMENTS_ELEMENTS: 3508 case JSObject::NON_STRICT_ARGUMENTS_ELEMENTS:
3509 UNREACHABLE(); 3509 UNREACHABLE();
3510 break; 3510 break;
3511 } 3511 }
3512 __ ret(0); 3512 __ ret(0);
(...skipping 254 matching lines...) Expand 10 before | Expand all | Expand 10 after
3767 masm->isolate()->builtins()->KeyedStoreIC_MissForceGeneric(); 3767 masm->isolate()->builtins()->KeyedStoreIC_MissForceGeneric();
3768 __ jmp(ic_force_generic, RelocInfo::CODE_TARGET); 3768 __ jmp(ic_force_generic, RelocInfo::CODE_TARGET);
3769 } 3769 }
3770 3770
3771 3771
3772 #undef __ 3772 #undef __
3773 3773
3774 } } // namespace v8::internal 3774 } } // namespace v8::internal
3775 3775
3776 #endif // V8_TARGET_ARCH_X64 3776 #endif // V8_TARGET_ARCH_X64
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698