MIPS: CallIC customization stubs must accept that a vector slot is cleared.

Port r22668 (7be1212)

Original commit message:
The CallIC Array custom IC stub read from the type vector, expecting
to get an AllocationSite. But there are paths in the system where a
type vector can be re-created with default values, even though we
currently grant an exception to clearing of vector slots with
AllocationSites in them at gc time.

BUG=392114
LOG=N
R=paul.lind@imgtec.com

Review URL: https://codereview.chromium.org/420793003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/mips/code-stubs-mips.cc

@@ -3094,9 +3094,14 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm) {
   __ li(a0, Operand(arg_count()));
   __ sll(at, a3, kPointerSizeLog2 - kSmiTagSize);
   __ Addu(at, a2, Operand(at));
-  __ lw(a2, FieldMemOperand(at, FixedArray::kHeaderSize));
-  // Verify that a2 contains an AllocationSite
-  __ AssertUndefinedOrAllocationSite(a2, at);
+  __ lw(t0, FieldMemOperand(at, FixedArray::kHeaderSize));
+
+  // Verify that t0 contains an AllocationSite
+  __ lw(t1, FieldMemOperand(t0, HeapObject::kMapOffset));
+  __ LoadRoot(at, Heap::kAllocationSiteMapRootIndex);
+  __ Branch(&miss, ne, t1, Operand(at));
+
+  __ mov(a2, t0);
   ArrayConstructorStub stub(masm->isolate(), arg_count());
   __ TailCallStub(&stub);
 
@@ -3163,7 +3168,11 @@ void CallICStub::Generate(MacroAssembler* masm) {
   __ Branch(&miss, eq, t0, Operand(at));
 
   if (!FLAG_trace_ic) {
-    // We are going megamorphic, and we don't want to visit the runtime.
+    // We are going megamorphic. If the feedback is a JSFunction, it is fine
+    // to handle it here. More complex cases are dealt with in the runtime.
+    __ AssertNotSmi(t0);
+    __ GetObjectType(t0, t1, t1);
+    __ Branch(&miss, ne, t1, Operand(JS_FUNCTION_TYPE));
     __ sll(t0, a3, kPointerSizeLog2 - kSmiTagSize);
     __ Addu(t0, a2, Operand(t0));
     __ LoadRoot(at, Heap::kMegamorphicSymbolRootIndex);

src/mips64/code-stubs-mips64.cc

@@ -3182,9 +3182,14 @@ void CallIC_ArrayStub::Generate(MacroAssembler* masm) {
   __ li(a0, Operand(arg_count()));
   __ dsrl(at, a3, 32 - kPointerSizeLog2);
   __ Daddu(at, a2, Operand(at));
-  __ ld(a2, FieldMemOperand(at, FixedArray::kHeaderSize));
-  // Verify that a2 contains an AllocationSite
-  __ AssertUndefinedOrAllocationSite(a2, at);
+  __ ld(a4, FieldMemOperand(at, FixedArray::kHeaderSize));
+
+  // Verify that a4 contains an AllocationSite
+  __ ld(a5, FieldMemOperand(a4, HeapObject::kMapOffset));
+  __ LoadRoot(at, Heap::kAllocationSiteMapRootIndex);
+  __ Branch(&miss, ne, a5, Operand(at));
+
+  __ mov(a2, a4);
   ArrayConstructorStub stub(masm->isolate(), arg_count());
   __ TailCallStub(&stub);
 
@@ -3251,7 +3256,11 @@ void CallICStub::Generate(MacroAssembler* masm) {
   __ Branch(&miss, eq, a4, Operand(at));
 
   if (!FLAG_trace_ic) {
-    // We are going megamorphic, and we don't want to visit the runtime.
+    // We are going megamorphic. If the feedback is a JSFunction, it is fine
+    // to handle it here. More complex cases are dealt with in the runtime.
+    __ AssertNotSmi(a4);
+    __ GetObjectType(a4, a5, a5);
+    __ Branch(&miss, ne, a5, Operand(JS_FUNCTION_TYPE));
     __ dsrl(a4, a3, 32 - kPointerSizeLog2);
     __ Daddu(a4, a2, Operand(a4));
     __ LoadRoot(at, Heap::kMegamorphicSymbolRootIndex);