From e74b57317b67765f7ede039be106e0783570f66a Mon Sep 17 00:00:00 2001
From: "yangguo@chromium.org"
 <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 10 Feb 2012 12:28:25 +0000
Subject: [PATCH] Fix crashes on x64 with smi-only arrays active.

Review URL: https://chromiumcodereview.appspot.com/9384002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10672 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/x64/stub-cache-x64.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/x64/stub-cache-x64.cc b/src/x64/stub-cache-x64.cc
index 6e60993..576e2f4 100644
--- a/src/x64/stub-cache-x64.cc
+++ b/src/x64/stub-cache-x64.cc
@@ -1384,19 +1384,19 @@ Handle<Code> CallStubCompiler::CompileArrayPushCall(
         __ CheckFastSmiOnlyElements(rbx, &call_builtin);
         // rdx: receiver
         // rbx: map
+        __ movq(r9, rdi);  // Backup rdi as it is going to be trashed.
         __ LoadTransitionedArrayMapConditional(FAST_SMI_ONLY_ELEMENTS,
                                                FAST_ELEMENTS,
                                                rbx,
-                                               r10,
+                                               rdi,
                                                &call_builtin);
         ElementsTransitionGenerator::GenerateSmiOnlyToObject(masm());
+        __ movq(rdi, r9);
         __ bind(&fast_object);
       } else {
         __ CheckFastObjectElements(rbx, &call_builtin);
       }
 
-      __ CheckFastObjectElements(rbx, &call_builtin);
-
       // Save new length.
       __ Integer32ToSmiField(FieldOperand(rdx, JSArray::kLengthOffset), rax);
 
-- 
2.7.4