Fix r11780 to avoid bugs where near branches are used to labels that are out of range.

src/x64/lithium-codegen-x64.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 2215 matching lines @@
       __ Cmp(FieldOperand(result, HeapObject::kMapOffset),
                           Handle<Map>(JSObject::cast(current)->map()));
       DeoptimizeIf(not_equal, env);
       current = HeapObject::cast(current->map()->prototype());
     }
     __ LoadRoot(result, Heap::kUndefinedValueRootIndex);
   }
 }
 
 
+// Check for cases where EmitLoadFieldOrConstantFunction needs to walk the
+// prototype chain, which causes unbounded code generation.
+static bool CompactEmit(
+    SmallMapList* list, Handle<String> name, int i, Isolate* isolate) {
+  LookupResult lookup(isolate);
+  Handle<Map> map = list->at(i);
+  map->LookupInDescriptors(NULL, *name, &lookup);
+  return lookup.IsFound() &&
+      (lookup.type() == FIELD || lookup.type() == CONSTANT_FUNCTION);
+}
+
+
 void LCodeGen::DoLoadNamedFieldPolymorphic(LLoadNamedFieldPolymorphic* instr) {
   Register object = ToRegister(instr->object());
   Register result = ToRegister(instr->result());
 
   int map_count = instr->hydrogen()->types()->length();
   bool need_generic = instr->hydrogen()->need_generic();
 
   if (map_count == 0 && !need_generic) {
     DeoptimizeIf(no_condition, instr->environment());
     return;
   }
   Handle<String> name = instr->hydrogen()->name();
   Label done;
-  bool compact_code = true;
+  bool all_are_compact = true;
   for (int i = 0; i < map_count; ++i) {
-    LookupResult lookup(isolate());
-    Handle<Map> map = instr->hydrogen()->types()->at(i);
-    map->LookupInDescriptors(NULL, *name, &lookup);
-    if (!lookup.IsFound() ||
-        (lookup.type() != FIELD && lookup.type() != CONSTANT_FUNCTION)) {
-      // The two cases above cause a bounded amount of code to be emitted.  This
-      // is not necessarily the case for other lookup results.
-      compact_code = false;
+    if (!CompactEmit(instr->hydrogen()->types(), name, i, isolate())) {
+      all_are_compact = false;
       break;
     }
   }
   for (int i = 0; i < map_count; ++i) {
     bool last = (i == map_count - 1);
     Handle<Map> map = instr->hydrogen()->types()->at(i);
     Label check_passed;
     __ CompareMap(object, map, &check_passed, ALLOW_ELEMENT_TRANSITION_MAPS);
     if (last && !need_generic) {
       DeoptimizeIf(not_equal, instr->environment());
       __ bind(&check_passed);
       EmitLoadFieldOrConstantFunction(
           result, object, map, name, instr->environment());
     } else {
       Label next;
-      __ j(not_equal, &next, Label::kNear);
+      bool compact = all_are_compact ? true :
+          CompactEmit(instr->hydrogen()->types(), name, i, isolate());
+      __ j(not_equal, &next, compact ? Label::kNear : Label::kFar);
       __ bind(&check_passed);
       EmitLoadFieldOrConstantFunction(
           result, object, map, name, instr->environment());
-      __ jmp(&done, compact_code ? Label::kNear: Label::kFar);
+      __ jmp(&done, all_are_compact ? Label::kNear : Label::kFar);
       __ bind(&next);
     }
   }
   if (need_generic) {
     __ Move(rcx, name);
     Handle<Code> ic = isolate()->builtins()->LoadIC_Initialize();
     CallCode(ic, RelocInfo::CODE_TARGET, instr);
   }
   __ bind(&done);
 }
@@ skipping 2648 matching lines @@
                                FixedArray::kHeaderSize - kPointerSize));
   __ bind(&done);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_X64