Fix bug when generating a fast smi loop.

We may encounter an invalid frame after generating code
for the loop body in case the loop body ends in an unconditional
return. Before setting the type information for the loop variable
we need to check for a valid frame.

Review URL: http://codereview.chromium.org/1106002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4182 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/ia32/codegen-ia32.cc b/src/ia32/codegen-ia32.cc
index a13fa9047721fafd1e64b970f862f4ecfc1d1fc7..39c6653164ab397bbc4f26c009e50f456c459c6d 100644 (file)
--- a/src/ia32/codegen-ia32.cc
+++ b/src/ia32/codegen-ia32.cc
@@ -3766,7 +3766,7 @@ void CodeGenerator::VisitForStatement(ForStatement* node) {
 
   // Set the type of the loop variable to smi before compiling the test
   // expression if we are in a fast smi loop condition.
-  if (node->is_fast_smi_loop()) {
+  if (node->is_fast_smi_loop() && has_valid_frame()) {
     // Set number type of the loop variable to smi.
     Slot* slot = node->loop_variable()->slot();
     ASSERT(slot->type() == Slot::LOCAL);

diff --git a/test/mjsunit/compiler/loopcount.js b/test/mjsunit/compiler/loopcount.js
index 736d9a7791ee4265def820b2d7e9c4874501f218..da9bc6b7f0685351d0720c81b8f264839d4bb373 100644 (file)
--- a/test/mjsunit/compiler/loopcount.js
+++ b/test/mjsunit/compiler/loopcount.js
@@ -75,3 +75,12 @@ function f8() {
   return i;
 }
 assertEquals(0x40000002, f8());
+
+
+function f9() {
+  var i;
+  for (i = 0; i < 42; i++) {
+    return 42;
+  }
+}
+assertEquals(42, f9());