From 434b456b519e62ed814061c87bb424182887170d Mon Sep 17 00:00:00 2001
From: verwaest <verwaest@chromium.org>
Date: Mon, 13 Apr 2015 09:25:38 -0700
Subject: [PATCH] Fix indirect push

BUG=chromium:388665
LOG=n

Review URL: https://codereview.chromium.org/1087463003

Cr-Commit-Position: refs/heads/master@{#27795}
---
 src/hydrogen.cc                               | 22 ++++++-------------
 .../regress-indirect-push-unchecked.js        | 20 +++++++++++++++++
 2 files changed, 27 insertions(+), 15 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-indirect-push-unchecked.js

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index c79a8170b64..7649dae047d 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -2388,6 +2388,8 @@ HInstruction* HGraphBuilder::BuildUncheckedMonomorphicElementAccess(
     PropertyAccessType access_type,
     LoadKeyedHoleMode load_mode,
     KeyedAccessStoreMode store_mode) {
+  DCHECK(top_info()->IsStub() || checked_object->IsCompareMap() ||
+         checked_object->IsCheckMaps());
   DCHECK((!IsExternalArrayElementsKind(elements_kind) &&
               !IsFixedTypedArrayElementsKind(elements_kind)) ||
          !is_js_array);
@@ -8454,11 +8456,10 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
         new_size = AddUncasted<HAdd>(length, graph()->GetConstant1());
 
         bool is_array = receiver_map->instance_type() == JS_ARRAY_TYPE;
-        BuildUncheckedMonomorphicElementAccess(array, length,
-                                               value_to_push, is_array,
-                                               elements_kind, STORE,
-                                               NEVER_RETURN_HOLE,
-                                               STORE_AND_GROW_NO_TRANSITION);
+        HValue* checked_array = Add<HCheckMaps>(array, receiver_map);
+        BuildUncheckedMonomorphicElementAccess(
+            checked_array, length, value_to_push, is_array, elements_kind,
+            STORE, NEVER_RETURN_HOLE, STORE_AND_GROW_NO_TRANSITION);
 
         if (!ast_context()->IsEffect()) Push(new_size);
         Add<HSimulate>(expr->id(), REMOVABLE_SIMULATE);
@@ -8825,18 +8826,9 @@ void HOptimizedGraphBuilder::HandleIndirectCall(Call* expr, HValue* function,
   int args_count_no_receiver = arguments_count - 1;
   if (function->IsConstant() &&
       HConstant::cast(function)->handle(isolate())->IsJSFunction()) {
-    HValue* receiver = environment()->ExpressionStackAt(args_count_no_receiver);
-    Handle<Map> receiver_map;
-    if (receiver->IsConstant() &&
-        HConstant::cast(receiver)->handle(isolate())->IsHeapObject()) {
-      receiver_map =
-          handle(Handle<HeapObject>::cast(
-                     HConstant::cast(receiver)->handle(isolate()))->map());
-    }
-
     known_function =
         Handle<JSFunction>::cast(HConstant::cast(function)->handle(isolate()));
-    if (TryInlineBuiltinMethodCall(expr, known_function, receiver_map,
+    if (TryInlineBuiltinMethodCall(expr, known_function, Handle<Map>(),
                                    args_count_no_receiver)) {
       if (FLAG_trace_inlining) {
         PrintF("Inlining builtin ");
diff --git a/test/mjsunit/regress/regress-indirect-push-unchecked.js b/test/mjsunit/regress/regress-indirect-push-unchecked.js
new file mode 100644
index 00000000000..dca7e96d4e8
--- /dev/null
+++ b/test/mjsunit/regress/regress-indirect-push-unchecked.js
@@ -0,0 +1,20 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = [1.5];
+
+function p() {
+  Array.prototype.push.call(a, 1.7);
+}
+
+p();
+p();
+p();
+%OptimizeFunctionOnNextCall(p);
+p();
+a.push({});
+p();
+assertEquals(1.7, a[a.length - 1]);