From e91a352d025474db95f618382381984bb9bad1d7 Mon Sep 17 00:00:00 2001
From: "fschneider@chromium.org"
 <fschneider@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 16 Sep 2010 09:18:08 +0000
Subject: [PATCH] Fix a regression in character-at stub when doing a keyed load
 on a string.

Loading from out-of-range has to go to the runtime system to check if there
exists a property with that index in the prototype.

Review URL: http://codereview.chromium.org/3410011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/arm/ic-arm.cc                      | 7 +------
 src/ia32/ic-ia32.cc                    | 7 +------
 src/x64/ic-x64.cc                      | 7 +------
 test/mjsunit/regress/regress-900966.js | 9 +++++++++
 4 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/src/arm/ic-arm.cc b/src/arm/ic-arm.cc
index 1a76db2..7878ecd 100644
--- a/src/arm/ic-arm.cc
+++ b/src/arm/ic-arm.cc
@@ -1236,7 +1236,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
   //  -- r1     : receiver
   // -----------------------------------
   Label miss;
-  Label index_out_of_range;
 
   Register receiver = r1;
   Register index = r0;
@@ -1251,7 +1250,7 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
                                           result,
                                           &miss,  // When not a string.
                                           &miss,  // When not a number.
-                                          &index_out_of_range,
+                                          &miss,  // When index out of range.
                                           STRING_INDEX_IS_ARRAY_INDEX);
   char_at_generator.GenerateFast(masm);
   __ Ret();
@@ -1259,10 +1258,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
   ICRuntimeCallHelper call_helper;
   char_at_generator.GenerateSlow(masm, call_helper);
 
-  __ bind(&index_out_of_range);
-  __ LoadRoot(r0, Heap::kUndefinedValueRootIndex);
-  __ Ret();
-
   __ bind(&miss);
   GenerateMiss(masm);
 }
diff --git a/src/ia32/ic-ia32.cc b/src/ia32/ic-ia32.cc
index 3d0bd79..87af0d9 100644
--- a/src/ia32/ic-ia32.cc
+++ b/src/ia32/ic-ia32.cc
@@ -692,7 +692,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
   //  -- esp[0] : return address
   // -----------------------------------
   Label miss;
-  Label index_out_of_range;
 
   Register receiver = edx;
   Register index = eax;
@@ -707,7 +706,7 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
                                           result,
                                           &miss,  // When not a string.
                                           &miss,  // When not a number.
-                                          &index_out_of_range,
+                                          &miss,  // When index out of range.
                                           STRING_INDEX_IS_ARRAY_INDEX);
   char_at_generator.GenerateFast(masm);
   __ ret(0);
@@ -715,10 +714,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
   ICRuntimeCallHelper call_helper;
   char_at_generator.GenerateSlow(masm, call_helper);
 
-  __ bind(&index_out_of_range);
-  __ Set(eax, Immediate(Factory::undefined_value()));
-  __ ret(0);
-
   __ bind(&miss);
   GenerateMiss(masm);
 }
diff --git a/src/x64/ic-x64.cc b/src/x64/ic-x64.cc
index 441b114..98219ff 100644
--- a/src/x64/ic-x64.cc
+++ b/src/x64/ic-x64.cc
@@ -730,7 +730,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
   //  -- rsp[0] : return address
   // -----------------------------------
   Label miss;
-  Label index_out_of_range;
 
   Register receiver = rdx;
   Register index = rax;
@@ -745,7 +744,7 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
                                           result,
                                           &miss,  // When not a string.
                                           &miss,  // When not a number.
-                                          &index_out_of_range,
+                                          &miss,  // When index out of range.
                                           STRING_INDEX_IS_ARRAY_INDEX);
   char_at_generator.GenerateFast(masm);
   __ ret(0);
@@ -753,10 +752,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) {
   ICRuntimeCallHelper call_helper;
   char_at_generator.GenerateSlow(masm, call_helper);
 
-  __ bind(&index_out_of_range);
-  __ LoadRoot(rax, Heap::kUndefinedValueRootIndex);
-  __ ret(0);
-
   __ bind(&miss);
   GenerateMiss(masm);
 }
diff --git a/test/mjsunit/regress/regress-900966.js b/test/mjsunit/regress/regress-900966.js
index b95d10e..acffe75 100644
--- a/test/mjsunit/regress/regress-900966.js
+++ b/test/mjsunit/regress/regress-900966.js
@@ -29,6 +29,15 @@ assertTrue('abc'[10] === undefined);
 String.prototype[10] = 'x';
 assertEquals('abc'[10], 'x');
 
+// Test that the fast case character-at stub handles an out-of-bound
+// index correctly. We need to call the function twice to initialize
+// the character-at stub.
+function f() {
+  assertEquals('abc'[10], 'x');
+}
+f();
+f();
+
 assertTrue(2[11] === undefined);
 Number.prototype[11] = 'y';
 assertEquals(2[11], 'y');
-- 
2.7.4