Fix missing smi check in inlined indexOf/lastIndexOf.

BUG=382513
LOG=y
R=danno@chromium.org

Review URL: https://codereview.chromium.org/313233005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 1e623af..df83f04 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8538,7 +8538,8 @@ HValue* HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,
               elements, index, static_cast<HValue*>(NULL),
               kind, ALLOW_RETURN_HOLE);
           IfBuilder if_issame(this);
-          HCompareMap* issame = if_issame.If<HCompareMap>(
+          if_issame.IfNot<HIsSmiAndBranch>(element);
+          HCompareMap* issame = if_issame.AndIf<HCompareMap>(
               element, isolate()->factory()->heap_number_map());
           if_issame.And();
           HValue* number = Add<HLoadNamedField>(

diff --git a/test/mjsunit/regress/regress-crbug-382513.js b/test/mjsunit/regress/regress-crbug-382513.js
new file mode 100644 (file)
index 0000000..59d2dca
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-382513.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { return [+0,false].indexOf(-(4/3)); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();