From: Jaroslav Sevcik <jarin@chromium.org>
Date: Mon, 9 Mar 2015 10:10:59 +0000 (+0100)
Subject: Do not set target in deoptimized code in keyed store IC.
X-Git-Tag: upstream/4.7.83~3976
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=82a28adf059a6b5205a292233c416bd307f4cf8e;p=platform%2Fupstream%2Fv8.git

Do not set target in deoptimized code in keyed store IC.

BUG=chromium:460937
R=ishell@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/989093002

Cr-Commit-Position: refs/heads/master@{#27064}
---

diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index f896d16..41f2a33 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2181,7 +2181,9 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
     TRACE_GENERIC_IC(isolate(), "KeyedStoreIC", "slow stub");
   }
   DCHECK(!stub.is_null());
-  set_target(*stub);
+  if (!AddressIsDeoptimizedCode()) {
+    set_target(*stub);
+  }
   TRACE_IC("StoreIC", key);
 
   return store_handle;
diff --git a/test/mjsunit/regress/regress-460937.js b/test/mjsunit/regress/regress-460937.js
new file mode 100644
index 0000000..cd57f93
--- /dev/null
+++ b/test/mjsunit/regress/regress-460937.js
@@ -0,0 +1,19 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  var a = new Array(100000);
+  var i = 0;
+  while (!%HasFastDoubleElements(a)) {
+    a[i] = i;
+    i += 0.1;
+  }
+  a[1] = 1.5;
+}
+
+f();
+%OptimizeFunctionOnNextCall(f);
+f();