From: bmeurer@chromium.org <bmeurer@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 10 Jun 2014 04:26:15 +0000 (+0000)
Subject: Fix missing smi check in inlined indexOf/lastIndexOf.
X-Git-Tag: upstream/4.7.83~8770
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7eea77bc5cd1a58324738eda64fb33ae63bf1192;p=platform%2Fupstream%2Fv8.git

Fix missing smi check in inlined indexOf/lastIndexOf.

BUG=382513
LOG=y
R=danno@chromium.org

Review URL: https://codereview.chromium.org/313233005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 1e623af..df83f04 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8538,7 +8538,8 @@ HValue* HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,
               elements, index, static_cast<HValue*>(NULL),
               kind, ALLOW_RETURN_HOLE);
           IfBuilder if_issame(this);
-          HCompareMap* issame = if_issame.If<HCompareMap>(
+          if_issame.IfNot<HIsSmiAndBranch>(element);
+          HCompareMap* issame = if_issame.AndIf<HCompareMap>(
               element, isolate()->factory()->heap_number_map());
           if_issame.And();
           HValue* number = Add<HLoadNamedField>(
diff --git a/test/mjsunit/regress/regress-crbug-382513.js b/test/mjsunit/regress/regress-crbug-382513.js
new file mode 100644
index 0000000..59d2dca
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-382513.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { return [+0,false].indexOf(-(4/3)); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();