Fix instance type check in apply optimization.

We accidentally compared a map address with an instance type.  This
fix additionally avoids an upper bounds check that is not needed.

Review URL: http://codereview.chromium.org/149003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2272 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/ia32/codegen-ia32.cc b/src/ia32/codegen-ia32.cc
index 970a4ea..9bc6290 100644 (file)
--- a/src/ia32/codegen-ia32.cc
+++ b/src/ia32/codegen-ia32.cc
@@ -2184,10 +2184,14 @@ void CodeGenerator::CallApplyLazy(Property* apply,
       __ test(receiver.reg(), Immediate(kSmiTagMask));
       build_args.Branch(zero);
       Result tmp = allocator_->Allocate();
+      // We allow all JSObjects including JSFunctions.  As long as
+      // JS_FUNCTION_TYPE is the last instance type and it is right
+      // after LAST_JS_OBJECT_TYPE, we do not have to check the upper
+      // bound.
+      ASSERT(LAST_TYPE == JS_FUNCTION_TYPE);
+      ASSERT(JS_FUNCTION_TYPE == LAST_JS_OBJECT_TYPE + 1);
       __ CmpObjectType(receiver.reg(), FIRST_JS_OBJECT_TYPE, tmp.reg());
       build_args.Branch(less);
-      __ cmp(tmp.reg(), LAST_JS_OBJECT_TYPE);
-      build_args.Branch(greater);
     }
 
     // Verify that we're invoking Function.prototype.apply.

diff --git a/test/mjsunit/arguments-apply.js b/test/mjsunit/arguments-apply.js
index d8172cc..5a91228 100644 (file)
--- a/test/mjsunit/arguments-apply.js
+++ b/test/mjsunit/arguments-apply.js
@@ -80,6 +80,13 @@ assertTrue(this === NonObjectReceiver(null));
 assertTrue(this === NonObjectReceiver(void 0));
 
 
+function FunctionReceiver() {
+  return ReturnReceiver.apply(Object, arguments);
+}
+
+assertTrue(Object === FunctionReceiver());
+
+
 function ShadowApply() {
   function f() { return 42; }
   f.apply = function() { return 87; }