Fix bug in X64 RSet code. Optimize IA32 version.

src/x64/macro-assembler-x64.cc

Index: src/x64/macro-assembler-x64.cc
diff --git a/src/x64/macro-assembler-x64.cc b/src/x64/macro-assembler-x64.cc
index 5e39cb62c5e9088ab4be1f878191c0fab1449859..f933de72b2aefcfa6c2b4dc4821403706c6b1ddf 100644
--- a/src/x64/macro-assembler-x64.cc
+++ b/src/x64/macro-assembler-x64.cc
@@ -71,18 +71,21 @@ static void RecordWriteHelper(MacroAssembler* masm,
   // Adjust 'addr' to be relative to the start of the extra remembered set
   // and the page address in 'object' to be the address of the extra
   // remembered set.
-  masm->subq(addr, Immediate(Page::kPageSize / kPointerSize));
+
   // Load the array length into 'scratch'.
   masm->movl(scratch,
              Operand(object,
                      Page::kObjectStartOffset + FixedArray::kLengthOffset));
   // Extra remembered set starts right after FixedArray.
-  // Add the page header, array header, and array body size
-  // (length * pointer size) to the page address to find the extra remembered
-  // set start.
+  // The RSet extension area lies after the FixedArray, i.e.,
+  // at
+  //   object + kObjectStartOffset + FixedArray::kHeaderSize + 8 * scratch
+  // Make object point to (size of normal RSet + kRSetOffset) before that,
+  // so that we can address the bit directly with addr.
   masm->lea(object,
             Operand(object, scratch, times_pointer_size,
-                    Page::kObjectStartOffset + FixedArray::kHeaderSize));
+                    Page::kObjectStartOffset + FixedArray::kHeaderSize
+                        - Page::kRSetEndOffset));
 
   // NOTE: For now, we use the bit-test-and-set (bts) x86 instruction
   // to limit code size. We should probably evaluate this decision by
@@ -181,7 +184,7 @@ void MacroAssembler::RecordWrite(Register object,
     } else {
       // array access: calculate the destination address in the same manner as
       // KeyedStoreIC::GenerateGeneric.  Multiply a smi by 4 to get an offset
-      // into an array of words.
+      // into an array of pointers.
       lea(dst, Operand(object, dst, times_half_pointer_size,
                        FixedArray::kHeaderSize - kHeapObjectTag));
     }