Fix polymorphic hydrogen handling of SLOPPY_ARGUMENTS_ELEMENTS

BUG=chromium:354391
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/206073008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 282fae7..891c714 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -6395,6 +6395,11 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
         elements_kind != GetInitialFastElementsKind()) {
       possible_transitioned_maps.Add(map);
     }
+    if (elements_kind == SLOPPY_ARGUMENTS_ELEMENTS) {
+      HInstruction* result = BuildKeyedGeneric(access_type, object, key, val);
+      *has_side_effects = result->HasObservableSideEffects();
+      return AddInstruction(result);
+    }
   }
   // Get transition target for each map (NULL == no transition).
   for (int i = 0; i < maps->length(); ++i) {

diff --git a/test/mjsunit/regress/regress-crbug-354391.js b/test/mjsunit/regress/regress-crbug-354391.js
new file mode 100644 (file)
index 0000000..e652bd3
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-354391.js
@@ -0,0 +1,21 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function load(a, i) {
+  return a[i];
+}
+
+function f2(a, b, c, d, index) {
+  return load(arguments, index);
+}
+
+f2(1, 2, 3, 4, "foo");
+f2(1, 2, 3, 4, "foo");
+load([11, 22, 33], 0);
+assertEquals(11, f2(11, 22, 33, 44, 0));
+
+%OptimizeFunctionOnNextCall(load);
+assertEquals(11, f2(11, 22, 33, 44, 0));