Fix deoptimization problem with inlined Array.push()

R=jarin@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/247573008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20911 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/deoptimizer.cc

@@ -2632,13 +2632,11 @@ unsigned Deoptimizer::ComputeInputFrameSize() const {
   // function into account so we have to avoid double counting them.
   unsigned result = fixed_size + fp_to_sp_delta_ -
       StandardFrameConstants::kFixedFrameSizeFromFp;
-#ifdef DEBUG
   if (compiled_code_->kind() == Code::OPTIMIZED_FUNCTION) {
     unsigned stack_slots = compiled_code_->stack_slots();
     unsigned outgoing_size = ComputeOutgoingArgumentSize();
-    ASSERT(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size);
+    CHECK(result == fixed_size + (stack_slots * kPointerSize) + outgoing_size);
   }
-#endif
   return result;
 }
 

src/hydrogen.cc

@@ -7811,6 +7811,7 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
 
       HValue* value_to_push = Pop();
       HValue* array = Pop();
+      Drop(1);  // Drop function.
 
       HInstruction* new_size = NULL;
       HValue* length = NULL;
@@ -7832,7 +7833,6 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
         Add<HSimulate>(expr->id(), REMOVABLE_SIMULATE);
       }
 
-      Drop(1);  // Drop function.
       ast_context()->ReturnValue(new_size);
       return true;
     }

test/mjsunit/array-push10.js

+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_17(__v_9) {
+ var __v_10 = 0;
+ var count = 10000;
+ while (count-- != 0) {
+   __v_9.push(0);
+   if (++__v_10 >= 2) return __v_9;
+   __v_10 = {};
+ }
+}
+
+__v_14 = __f_17([]);