From 7eea77bc5cd1a58324738eda64fb33ae63bf1192 Mon Sep 17 00:00:00 2001
From: "bmeurer@chromium.org"
 <bmeurer@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 10 Jun 2014 04:26:15 +0000
Subject: [PATCH] Fix missing smi check in inlined indexOf/lastIndexOf.

BUG=382513
LOG=y
R=danno@chromium.org

Review URL: https://codereview.chromium.org/313233005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/hydrogen.cc                              |  3 ++-
 test/mjsunit/regress/regress-crbug-382513.js | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-382513.js

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 1e623af..df83f04 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8538,7 +8538,8 @@ HValue* HOptimizedGraphBuilder::BuildArrayIndexOf(HValue* receiver,
               elements, index, static_cast<HValue*>(NULL),
               kind, ALLOW_RETURN_HOLE);
           IfBuilder if_issame(this);
-          HCompareMap* issame = if_issame.If<HCompareMap>(
+          if_issame.IfNot<HIsSmiAndBranch>(element);
+          HCompareMap* issame = if_issame.AndIf<HCompareMap>(
               element, isolate()->factory()->heap_number_map());
           if_issame.And();
           HValue* number = Add<HLoadNamedField>(
diff --git a/test/mjsunit/regress/regress-crbug-382513.js b/test/mjsunit/regress/regress-crbug-382513.js
new file mode 100644
index 0000000..59d2dca
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-382513.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { return [+0,false].indexOf(-(4/3)); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
-- 
2.7.4