Fix crashes on x64 with smi-only arrays active.

Review URL: https://chromiumcodereview.appspot.com/9384002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10672 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-10 12:28:25 +00:00 · 2012-02-10 12:28:25 +00:00 · e74b57317b
commit e74b57317b
parent 581b7e6eb2
1 changed files with 3 additions and 3 deletions
--- a/src/x64/stub-cache-x64.cc
+++ b/src/x64/stub-cache-x64.cc
@ -1384,19 +1384,19 @@ Handle<Code> CallStubCompiler::CompileArrayPushCall(
        __ CheckFastSmiOnlyElements(rbx, &call_builtin);
        // rdx: receiver
        // rbx: map
+        __ movq(r9, rdi);  // Backup rdi as it is going to be trashed.
        __ LoadTransitionedArrayMapConditional(FAST_SMI_ONLY_ELEMENTS,
                                               FAST_ELEMENTS,
                                               rbx,
-                                               r10,
+                                               rdi,
                                               &call_builtin);
        ElementsTransitionGenerator::GenerateSmiOnlyToObject(masm());
+        __ movq(rdi, r9);
        __ bind(&fast_object);
      } else {
        __ CheckFastObjectElements(rbx, &call_builtin);
      }

-      __ CheckFastObjectElements(rbx, &call_builtin);
-
      // Save new length.
      __ Integer32ToSmiField(FieldOperand(rdx, JSArray::kLengthOffset), rax);