The toplevel code generator assumed that declarations did not shadow...

The toplevel code generator assumed that declarations did not shadow
parameters.  This could case the initial value to be lost or worse, a
crash.

Fix by handling the case of a declaration shadowing both
stack-allocated parameters and those in the arguments object.

This is related to V8 issue 540.
http://code.google.com/p/v8/issues/detail?id=540

BUG=29565
Committed: http://code.google.com/p/v8/source/detail?r=3429

[Mads Ager (chromium), 2009-12-07 12:56:48]

LGTM

[fschneider, 2009-12-07 13:09:01]

http://codereview.chromium.org/469006/diff/1/3
File src/ia32/fast-codegen-ia32.cc (right):

http://codereview.chromium.org/469006/diff/1/3#newcode416
src/ia32/fast-codegen-ia32.cc:416: 
I'm confused by the variable rewrites again :)
And I guess the following defensive assert holds here:
ASSERT(slot != NULL || prop != NULL)

http://codereview.chromium.org/469006/diff/1/3#newcode495
src/ia32/fast-codegen-ia32.cc:495: Handle<Code>
ic(Builtins::builtin(Builtins::KeyedLoadIC_Initialize));
KeyedStore instead of load?

http://codereview.chromium.org/469006/diff/1/2
File test/mjsunit/regress/regress-540.js (right):

http://codereview.chromium.org/469006/diff/1/2#newcode36
test/mjsunit/regress/regress-540.js:36: (function (x) {
This function won't hit the top-level compiler. You could use the flag
--always_fast_compiler to do that.

[Kevin Millikin (Chromium), 2009-12-07 13:29:59]

http://codereview.chromium.org/469006/diff/1/3
File src/ia32/fast-codegen-ia32.cc (right):

http://codereview.chromium.org/469006/diff/1/3#newcode495
src/ia32/fast-codegen-ia32.cc:495: Handle<Code>
ic(Builtins::builtin(Builtins::KeyedLoadIC_Initialize));
On 2009/12/07 13:09:01, fschneider wrote:
> KeyedStore instead of load?

Good catch.  Fixed and added test coverage.