From b7369c38ec77d4eb0f83bed31da24520a6fc775a Mon Sep 17 00:00:00 2001
From: "jkummerow@chromium.org"
 <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 24 Jul 2013 08:00:52 +0000
Subject: [PATCH] Fix assert/crash in HandlePolymorphicCallNamed

R=jkummerow@chromium.org
TEST=Ryan Sturgell's test runs through without crashing

Review URL: https://codereview.chromium.org/20051008

Patch from Daniel Clifford <danno@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/hydrogen.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 266c129..2b5b4c4 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -6190,6 +6190,10 @@ void HOptimizedGraphBuilder::HandlePolymorphicCallNamed(
   // know about and do not want to handle ones we've never seen.  Otherwise
   // use a generic IC.
   if (ordered_functions == types->length() && FLAG_deoptimize_uncommon_cases) {
+    // Because the deopt may be the only path in the polymorphic call, make sure
+    // that the environment stack matches the depth on deopt that it otherwise
+    // would have had after a successful call.
+    Drop(argument_count - (ast_context()->IsEffect() ? 0 : 1));
     FinishExitWithHardDeoptimization(join);
   } else {
     HValue* context = environment()->LookupContext();
-- 
2.7.4