Check in Lithium that allocation size in Smi range.

This is to avoid triggering an assertion from Smi::FromInt. The
generated code is unreachable, so it is not a real bug.

R=ulan@chromium.org
BUG=

Review URL: https://codereview.chromium.org/221743005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20458 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/arm/lithium-codegen-arm.cc

@@ -5358,7 +5358,13 @@ void LCodeGen::DoDeferredAllocate(LAllocate* instr) {
     __ push(size);
   } else {
     int32_t size = ToInteger32(LConstantOperand::cast(instr->size()));
-    __ Push(Smi::FromInt(size));
+    if (size >= 0 && size <= Smi::kMaxValue) {
+      __ Push(Smi::FromInt(size));
+    } else {
+      // We should never get here at runtime => abort
+      __ stop("invalid allocation size");
+      return;
+    }
   }
 
   int flags = AllocateDoubleAlignFlag::encode(

src/ia32/lithium-codegen-ia32.cc

@@ -5952,7 +5952,13 @@ void LCodeGen::DoDeferredAllocate(LAllocate* instr) {
     __ push(size);
   } else {
     int32_t size = ToInteger32(LConstantOperand::cast(instr->size()));
-    __ push(Immediate(Smi::FromInt(size)));
+    if (size >= 0 && size <= Smi::kMaxValue) {
+      __ push(Immediate(Smi::FromInt(size)));
+    } else {
+      // We should never get here at runtime => abort
+      __ int3();
+      return;
+    }
   }
 
   int flags = AllocateDoubleAlignFlag::encode(

test/mjsunit/regress/regress-alloc-smi-check.js

@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+var x = {};
+
+function f(a) {
+  a[200000000] = x;
+}
+
+f(new Array(100000));
+f([]);
+%OptimizeFunctionOnNextCall(f);
+f([]);