Fix assert/crash in HandlePolymorphicCallNamed

R=jkummerow@chromium.org
TEST=Ryan Sturgell's test runs through without crashing

Review URL: https://codereview.chromium.org/20051008

Patch from Daniel Clifford <danno@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 266c129..2b5b4c4 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -6190,6 +6190,10 @@ void HOptimizedGraphBuilder::HandlePolymorphicCallNamed(
   // know about and do not want to handle ones we've never seen.  Otherwise
   // use a generic IC.
   if (ordered_functions == types->length() && FLAG_deoptimize_uncommon_cases) {
+    // Because the deopt may be the only path in the polymorphic call, make sure
+    // that the environment stack matches the depth on deopt that it otherwise
+    // would have had after a successful call.
+    Drop(argument_count - (ast_context()->IsEffect() ? 0 : 1));
     FinishExitWithHardDeoptimization(join);
   } else {
     HValue* context = environment()->LookupContext();