Always 64-bit align floating point values in heap numbers....

src/ia32/ic-ia32.cc

Index: src/ia32/ic-ia32.cc
===================================================================
--- src/ia32/ic-ia32.cc	(revision 3405)
+++ src/ia32/ic-ia32.cc	(working copy)
@@ -459,14 +459,16 @@
     // FP(0): value
     __ AllocateHeapNumber(eax, ebx, ecx, &failed_allocation);
     // Set the value.
-    __ fstp_d(FieldOperand(eax, HeapNumber::kValueOffset));
+    __ GenerateHeapNumberValueAddress(ebx, eax);
+    __ fstp_d(Operand(ebx, 0));
     __ ret(0);
   } else if (array_type == kExternalFloatArray) {
     // For the floating-point array type, we need to always allocate a
     // HeapNumber.
     __ AllocateHeapNumber(eax, ebx, ecx, &failed_allocation);
     // Set the value.
-    __ fstp_d(FieldOperand(eax, HeapNumber::kValueOffset));
+    __ GenerateHeapNumberValueAddress(ebx, eax);
+    __ fstp_d(Operand(ebx, 0));
     __ ret(0);
   } else {
     __ shl(eax, kSmiTagSize);
@@ -721,7 +723,8 @@
   // The WebGL specification leaves the behavior of storing NaN and
   // +/-Infinity into integer arrays basically undefined. For more
   // reproducible behavior, convert these to zero.
-  __ fld_d(FieldOperand(eax, HeapNumber::kValueOffset));
+  __ GenerateHeapNumberValueAddress(edx, eax);
+  __ fld_d(Operand(edx, 0));
   __ mov(edx, eax);  // Save the value.
   __ mov(ecx, FieldOperand(ecx, ExternalArray::kExternalPointerOffset));
   // ebx: untagged index
@@ -772,7 +775,8 @@
         // This test would apparently detect both NaN and Infinity,
         // but we've already checked for NaN using the FPU hardware
         // above.
-        __ mov_w(edi, FieldOperand(edx, HeapNumber::kValueOffset + 6));
+        __ GenerateHeapNumberValueAddress(edi, edx);
+        __ mov_w(edi, Operand(edi, 6));
         __ and_(edi, 0x7FF0);
         __ cmp(edi, 0x7FF0);
         __ j(not_equal, &not_infinity);