From 56f2006605b32fee457960b94cc0fb4da3190c5e Mon Sep 17 00:00:00 2001
From: "jarin@chromium.org"
 <jarin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 24 Mar 2014 20:51:36 +0000
Subject: [PATCH] Fix to get around an assertion that triggers when generating
 code that happens to be dead because the assertion is checked a bit earlier
 at runtime.

R=ishell@chromium.org
BUG=355486
LOG=N

Review URL: https://codereview.chromium.org/201573011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20218 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/x64/lithium-codegen-x64.cc         | 11 ++++++++---
 test/mjsunit/regress/regress-355486.js | 13 +++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-355486.js

diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index a6be271..401a49e 100644
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -2910,9 +2910,14 @@ void LCodeGen::DoAccessArgumentsAt(LAccessArgumentsAt* instr) {
       instr->index()->IsConstantOperand()) {
     int32_t const_index = ToInteger32(LConstantOperand::cast(instr->index()));
     int32_t const_length = ToInteger32(LConstantOperand::cast(instr->length()));
-    StackArgumentsAccessor args(arguments, const_length,
-                                ARGUMENTS_DONT_CONTAIN_RECEIVER);
-    __ movp(result, args.GetArgumentOperand(const_index));
+    if (const_index < const_length) {
+      StackArgumentsAccessor args(arguments, const_length,
+                                  ARGUMENTS_DONT_CONTAIN_RECEIVER);
+      __ movp(result, args.GetArgumentOperand(const_index));
+    } else {
+      // This code should never be executed; just stop here.
+      __ int3();
+    }
   } else {
     Register length = ToRegister(instr->length());
     // There are two words between the frame pointer and the last argument.
diff --git a/test/mjsunit/regress/regress-355486.js b/test/mjsunit/regress/regress-355486.js
new file mode 100644
index 0000000..55362a1
--- /dev/null
+++ b/test/mjsunit/regress/regress-355486.js
@@ -0,0 +1,13 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() { var v = arguments[0]; }
+function g() { f(); }
+
+g();
+g();
+%OptimizeFunctionOnNextCall(g);
+g();
-- 
2.7.4