Fix compose-discard crasher from 11524. We can't do a call (to a generic

src/ia32/lithium-codegen-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 2257 matching lines @@
   }
 }
 
 
 void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
   Register object = ToRegister(instr->object());
   Register result = ToRegister(instr->result());
 
   int map_count = instr->hydrogen()->types()->length();
   Handle<String> name = instr->hydrogen()->name();
-  if (map_count == 0) {
-    ASSERT(instr->hydrogen()->need_generic());
+  if (map_count == 0 && instr->hydrogen()->need_generic()) {
     __ mov(ecx, name);
     Handle<Code> ic = isolate()->builtins()->LoadIC_Initialize();
     CallCode(ic, RelocInfo::CODE_TARGET, instr);
   } else {
     Label done;
     for (int i = 0; i < map_count - 1; ++i) {
       Handle<Map> map = instr->hydrogen()->types()->at(i);
       Label next;
       __ cmp(FieldOperand(object, HeapObject::kMapOffset), map);
       __ j(not_equal, &next, Label::kNear);
       EmitLoadFieldOrConstantFunction(result, object, map, name);
       __ jmp(&done, Label::kNear);
       __ bind(&next);
     }
-    Handle<Map> map = instr->hydrogen()->types()->last();
-    __ cmp(FieldOperand(object, HeapObject::kMapOffset), map);
     if (instr->hydrogen()->need_generic()) {
-      Label generic;
-      __ j(not_equal, &generic, Label::kNear);
-      EmitLoadFieldOrConstantFunction(result, object, map, name);
-      __ jmp(&done, Label::kNear);
-      __ bind(&generic);
+      if (map_count != 0) {

[Michael Starzinger, 2012/05/10 13:06:01]

It seems as if this condition always holds, otherwise you would have ended up in
the IC case. Can we replace this with an ASSERT(map_count != 0)?

[Erik Corry, 2012/05/10 20:28:36]

No, there are two conditions to get into the IC case now.

+        Handle<Map> map = instr->hydrogen()->types()->last();
+        __ cmp(FieldOperand(object, HeapObject::kMapOffset), map);
+        Label generic;
+        __ j(not_equal, &generic, Label::kNear);
+        EmitLoadFieldOrConstantFunction(result, object, map, name);
+        __ jmp(&done, Label::kNear);
+        __ bind(&generic);
+      }
       __ mov(ecx, name);
       Handle<Code> ic = isolate()->builtins()->LoadIC_Initialize();
       CallCode(ic, RelocInfo::CODE_TARGET, instr);
     } else {
-      DeoptimizeIf(not_equal, instr->environment());
-      EmitLoadFieldOrConstantFunction(result, object, map, name);
+      if (map_count != 0) {

[Michael Starzinger, 2012/05/10 13:06:01]

Then it makes sense to turn this into an "else if" which would simplify the
structure.

[Erik Corry, 2012/05/10 20:28:36]

Same objection.

+        Handle<Map> map = instr->hydrogen()->types()->last();
+        __ cmp(FieldOperand(object, HeapObject::kMapOffset), map);
+        DeoptimizeIf(not_equal, instr->environment());
+        EmitLoadFieldOrConstantFunction(result, object, map, name);
+      } else {
+        DeoptimizeIf(no_condition, instr->environment());
+      }
     }
     __ bind(&done);
   }
 }
 
 
 void LCodeGen::DoLoadNamedGeneric(LLoadNamedGeneric* instr) {
   ASSERT(ToRegister(instr->context()).is(esi));
   ASSERT(ToRegister(instr->object()).is(edx));
   ASSERT(ToRegister(instr->result()).is(eax));
@@ skipping 2744 matching lines @@
                               FixedArray::kHeaderSize - kPointerSize));
   __ bind(&done);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_IA32