Fix to get around an assertion that triggers when generating code that happens to...

R=ishell@chromium.org
BUG=355486
LOG=N

Review URL: https://codereview.chromium.org/201573011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20218 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index a6be271..401a49e 100644 (file)
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -2910,9 +2910,14 @@ void LCodeGen::DoAccessArgumentsAt(LAccessArgumentsAt* instr) {
       instr->index()->IsConstantOperand()) {
     int32_t const_index = ToInteger32(LConstantOperand::cast(instr->index()));
     int32_t const_length = ToInteger32(LConstantOperand::cast(instr->length()));
-    StackArgumentsAccessor args(arguments, const_length,
-                                ARGUMENTS_DONT_CONTAIN_RECEIVER);
-    __ movp(result, args.GetArgumentOperand(const_index));
+    if (const_index < const_length) {
+      StackArgumentsAccessor args(arguments, const_length,
+                                  ARGUMENTS_DONT_CONTAIN_RECEIVER);
+      __ movp(result, args.GetArgumentOperand(const_index));
+    } else {
+      // This code should never be executed; just stop here.
+      __ int3();
+    }
   } else {
     Register length = ToRegister(instr->length());
     // There are two words between the frame pointer and the last argument.

diff --git a/test/mjsunit/regress/regress-355486.js b/test/mjsunit/regress/regress-355486.js
new file mode 100644 (file)
index 0000000..55362a1
--- /dev/null
+++ b/test/mjsunit/regress/regress-355486.js
@@ -0,0 +1,13 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() { var v = arguments[0]; }
+function g() { f(); }
+
+g();
+g();
+%OptimizeFunctionOnNextCall(g);
+g();