Fix fuzzer-found error where left and right were the same register in bitops.

src/ia32/codegen-ia32.cc

 // Copyright 2010 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 1037 matching lines @@
   DeferredInlineBinaryOperation(Token::Value op,
                                 Register dst,
                                 Register left,
                                 Register right,
                                 TypeInfo left_info,
                                 TypeInfo right_info,
                                 OverwriteMode mode)
       : op_(op), dst_(dst), left_(left), right_(right),
         left_info_(left_info), right_info_(right_info), mode_(mode) {
     set_comment("[ DeferredInlineBinaryOperation");
+    ASSERT(!left.is(right));
   }
 
   virtual void Generate();
 
   // This stub makes explicit calls to SaveRegisters(), RestoreRegisters() and
   // Exit().
   virtual bool AutoSaveAndRestore() { return false; }
 
   void JumpToAnswerOutOfRange(Condition cond);
   void JumpToConstantRhs(Condition cond, Smi* smi_value);
@@ skipping 769 matching lines @@
     }
     ASSERT(remainder.is_register() && remainder.reg().is(edx));
     ASSERT(!(left->is_register() && left->reg().is(edx)));
     ASSERT(!(right->is_register() && right->reg().is(edx)));
 
     left->ToRegister();
     right->ToRegister();
     frame_->Spill(eax);
     frame_->Spill(edx);
     // DeferredInlineBinaryOperation requires all the registers that it is
-    // told about to be spilled.
-    frame_->Spill(left->reg());
-    frame_->Spill(right->reg());
+    // told about to be spilled and distinct.
+    Result distinct_right = frame_->MakeDistinctAndSpilled(left, right);
 
     // Check that left and right are smi tagged.
     DeferredInlineBinaryOperation* deferred =
         new DeferredInlineBinaryOperation(op,
                                           (op == Token::DIV) ? eax : edx,
                                           left->reg(),
-                                          right->reg(),
+                                          distinct_right.reg(),
                                           left_type_info,
                                           right_type_info,
                                           overwrite_mode);
     JumpIfNotBothSmiUsingTypeInfo(left->reg(), right->reg(), edx,
                                   left_type_info, right_type_info, deferred);
     if (!left_is_in_eax) {
       __ mov(eax, left->reg());
     }
     // Sign extend eax into edx:eax.
     __ cdq();
@@ skipping 72 matching lines @@
     if (left_type_info.IsSmi()) {
       if (FLAG_debug_code) __ AbortIfNotSmi(left->reg());
     }
     if (right_type_info.IsSmi()) {
       if (FLAG_debug_code) __ AbortIfNotSmi(right->reg());
     }
 
     // We will modify right, it must be spilled.
     frame_->Spill(ecx);
     // DeferredInlineBinaryOperation requires all the registers that it is told
-    // about to be spilled.
+    // about to be spilled and distinct.  We know that right is ecx and left is
+    // not ecx.
     frame_->Spill(left->reg());
 
     // Use a fresh answer register to avoid spilling the left operand.
     answer = allocator_->Allocate();
     ASSERT(answer.is_valid());
     DeferredInlineBinaryOperation* deferred =
         new DeferredInlineBinaryOperation(op,
                                           answer.reg(),
                                           left->reg(),
                                           ecx,
@@ skipping 54 matching lines @@
     right->Unuse();
     ASSERT(answer.is_valid());
     return answer;
   }
 
   // Handle the other binary operations.
   left->ToRegister();
   right->ToRegister();
   // DeferredInlineBinaryOperation requires all the registers that it is told
   // about to be spilled.
-  frame_->Spill(left->reg());
-  frame_->Spill(right->reg());
+  Result distinct_right = frame_->MakeDistinctAndSpilled(left, right);
   // A newly allocated register answer is used to hold the answer.  The
   // registers containing left and right are not modified so they don't
   // need to be spilled in the fast case.
   answer = allocator_->Allocate();
   ASSERT(answer.is_valid());
 
   // Perform the smi tag check.
   DeferredInlineBinaryOperation* deferred =
       new DeferredInlineBinaryOperation(op,
                                         answer.reg(),
                                         left->reg(),
-                                        right->reg(),
+                                        distinct_right.reg(),
                                         left_type_info,
                                         right_type_info,
                                         overwrite_mode);
   Label non_smi_bit_op;
   if (op != Token::BIT_OR) {
     JumpIfNotBothSmiUsingTypeInfo(left->reg(), right->reg(), answer.reg(),
                                   left_type_info, right_type_info,
                                   deferred->NonSmiInputLabel());
   }
 
@@ skipping 12213 matching lines @@
   masm.GetCode(&desc);
   // Call the function from C++.
   return FUNCTION_CAST<MemCopyFunction>(buffer);
 }
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_IA32