MIPS: Fix rare random crashes in keyed store if element transition is needed.

TEST=mjsunit/sin-cos
BUG=
R=balazs.kilvady@imgtec.com

Review URL: https://codereview.chromium.org/865153002

Cr-Commit-Position: refs/heads/master@{#26223}

diff --git a/src/mips/codegen-mips.cc b/src/mips/codegen-mips.cc
index 0e28eed..9188f7b 100644 (file)
--- a/src/mips/codegen-mips.cc
+++ b/src/mips/codegen-mips.cc
@@ -750,7 +750,7 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(
                       OMIT_SMI_CHECK);
   // Replace receiver's backing store with newly created FixedDoubleArray.
   __ Addu(scratch1, array, Operand(kHeapObjectTag));
-  __ sw(scratch1, FieldMemOperand(a2, JSObject::kElementsOffset));
+  __ sw(scratch1, FieldMemOperand(receiver, JSObject::kElementsOffset));
   __ RecordWriteField(receiver,
                       JSObject::kElementsOffset,
                       scratch1,

diff --git a/src/mips64/codegen-mips64.cc b/src/mips64/codegen-mips64.cc
index fa0a2db..05a193c 100644 (file)
--- a/src/mips64/codegen-mips64.cc
+++ b/src/mips64/codegen-mips64.cc
@@ -643,7 +643,7 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(
                       OMIT_SMI_CHECK);
   // Replace receiver's backing store with newly created FixedDoubleArray.
   __ Daddu(scratch1, array, Operand(kHeapObjectTag));
-  __ sd(scratch1, FieldMemOperand(a2, JSObject::kElementsOffset));
+  __ sd(scratch1, FieldMemOperand(receiver, JSObject::kElementsOffset));
   __ RecordWriteField(receiver,
                       JSObject::kElementsOffset,
                       scratch1,