From d9b6b6439d7f7a6006b61687e31a12f6ef6275f5 Mon Sep 17 00:00:00 2001
From: "jkummerow@chromium.org"
 <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 19 Mar 2014 15:49:29 +0000
Subject: [PATCH] Fix polymorphic keyed loads for SLOPPY_ARGUMENTS_ELEMENTS

BUG=chromium:350867
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/203303010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20087 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/ic.cc                                    |  2 --
 src/stub-cache.cc                            |  2 ++
 test/mjsunit/regress/regress-crbug-350867.js | 15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-350867.js

diff --git a/src/ic.cc b/src/ic.cc
index 399be0e965..4924dbb8d7 100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1096,7 +1096,6 @@ MaybeObject* KeyedLoadIC::Load(Handle<Object> object, Handle<Object> key) {
     maybe_object = LoadIC::Load(object, Handle<String>::cast(key));
     if (maybe_object->IsFailure()) return maybe_object;
   } else if (FLAG_use_ic && !object->IsAccessCheckNeeded()) {
-    ASSERT(!object->IsAccessCheckNeeded());
     if (object->IsString() && key->IsNumber()) {
       if (state() == UNINITIALIZED) stub = string_stub();
     } else if (object->IsJSObject()) {
@@ -1117,7 +1116,6 @@ MaybeObject* KeyedLoadIC::Load(Handle<Object> object, Handle<Object> key) {
     if (*stub == *generic_stub()) {
       TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "set generic");
     }
-    ASSERT(!stub.is_null());
     set_target(*stub);
     TRACE_IC("LoadIC", key);
   }
diff --git a/src/stub-cache.cc b/src/stub-cache.cc
index d52d424095..092eaa33d4 100644
--- a/src/stub-cache.cc
+++ b/src/stub-cache.cc
@@ -1306,6 +1306,8 @@ void KeyedLoadStubCompiler::CompileElementHandlers(MapHandleList* receiver_maps,
         cached_stub =
             KeyedLoadFastElementStub(is_js_array,
                                      elements_kind).GetCode(isolate());
+      } else if (elements_kind == SLOPPY_ARGUMENTS_ELEMENTS) {
+        cached_stub = isolate()->builtins()->KeyedLoadIC_SloppyArguments();
       } else {
         ASSERT(elements_kind == DICTIONARY_ELEMENTS);
         cached_stub = KeyedLoadDictionaryElementStub().GetCode(isolate());
diff --git a/test/mjsunit/regress/regress-crbug-350867.js b/test/mjsunit/regress/regress-crbug-350867.js
new file mode 100644
index 0000000000..d8b826cff5
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-350867.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f1(a, i) {
+  return a[i];
+}
+function f2(a, b, c, index) {
+  return f1(arguments, index);
+}
+
+f2(2, 3, 4, "foo");
+f2(2, 3, 4, "foo");
+assertEquals(11, f1([11, 22, 33], 0));
+assertEquals(22, f2(22, 33, 44, 0));