ARM: Fix a crash bug in code for %_IsStringWrapperSafeForDefaultValueOf

Turned out out that the setting of bit Map::kStringWrapperSafeForDefaultValueOf in Map::kStringWrapperSafeForDefaultValueOf was not done on the map but in some other memory location causing crashes.

R=vegorov@chromium.org

BUG=none
TEST=mozilla/data/js1_2/String/slice.js (crashed only on ARM hardware)

Review URL: http://codereview.chromium.org//6816054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7558 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/arm/full-codegen-arm.cc b/src/arm/full-codegen-arm.cc
index d1356fa74efb76fca9edb337f83f28a4f327543d..fe0471f5bdf89aee087a8b69734af1fba663b581 100644 (file)
--- a/src/arm/full-codegen-arm.cc
+++ b/src/arm/full-codegen-arm.cc
@@ -2595,9 +2595,9 @@ void FullCodeGenerator::EmitIsStringWrapperSafeForDefaultValueOf(
 
   // Set the bit in the map to indicate that it has been checked safe for
   // default valueOf and set true result.
-  __ ldrb(r2, FieldMemOperand(r4, Map::kBitField2Offset));
+  __ ldrb(r2, FieldMemOperand(r1, Map::kBitField2Offset));
   __ orr(r2, r2, Operand(1 << Map::kStringWrapperSafeForDefaultValueOf));
-  __ strb(r2, FieldMemOperand(r4, Map::kBitField2Offset));
+  __ strb(r2, FieldMemOperand(r1, Map::kBitField2Offset));
   __ jmp(if_true);
 
   PrepareForBailoutBeforeSplit(TOS_REG, true, if_true, if_false);