Fix ASSERT violation when BinaryOpIC::Transition recurses into itself

BUG=chromium:352586
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/201313002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20000 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/ic.cc

@@ -2404,8 +2404,11 @@ MaybeObject* BinaryOpIC::Transition(Handle<AllocationSite> allocation_site,
       isolate(), function, left, 1, &right, &caught_exception);
   if (caught_exception) return Failure::Exception();
 
+  // Execution::Call can execute arbitrary JavaScript, hence potentially
+  // update the state of this very IC, so we must update the stored state.
+  UpdateTarget();
   // Compute the new state.
-  State old_state = state;
+  State old_state(target()->extra_ic_state());
   state.Update(left, right, result);
 
   // Check if we have a string operation here.

src/ic.h

@@ -247,6 +247,11 @@ class IC {
     extra_ic_state_ = state;
   }
 
+ protected:
+  void UpdateTarget() {
+    target_ = handle(raw_target(), isolate_);
+  }
+
  private:
   Code* raw_target() const {
     return GetTargetAtAddress(address(), constant_pool());

test/mjsunit/regress/regress-crbug-352586.js

+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = {};
+
+function getter() {
+  do {
+    return a + 1;
+  } while (false);
+}
+
+a.__proto__ = Error("");
+a.__defineGetter__('message', getter);
+a.message;