Merge r3505 and r3509 to trunk.

trunk/src/ia32/codegen-ia32.cc

Index: trunk/src/ia32/codegen-ia32.cc
===================================================================
--- trunk/src/ia32/codegen-ia32.cc	(revision 3508)
+++ trunk/src/ia32/codegen-ia32.cc	(working copy)
@@ -174,7 +174,7 @@
     function_return_is_shadowed_ = false;
 
     // Allocate the local context if needed.
-    int heap_slots = scope_->num_heap_slots();
+    int heap_slots = scope_->num_heap_slots() - Context::MIN_CONTEXT_SLOTS;
     if (heap_slots > 0) {
       Comment cmnt(masm_, "[ allocate local context");
       // Allocate local context.
@@ -6741,8 +6741,11 @@
   __ mov(Operand(eax, Context::SlotOffset(Context::PREVIOUS_INDEX)), ebx);
   __ mov(Operand(eax, Context::SlotOffset(Context::EXTENSION_INDEX)), ebx);
 
-  // Copy the global object from the surrounding context.
-  __ mov(ebx, Operand(esi, Context::SlotOffset(Context::GLOBAL_INDEX)));
+  // Copy the global object from the surrounding context. We go through the
+  // context in the function (ecx) to match the allocation behavior we have
+  // in the runtime system (see Heap::AllocateFunctionContext).
+  __ mov(ebx, FieldOperand(ecx, JSFunction::kContextOffset));
+  __ mov(ebx, Operand(ebx, Context::SlotOffset(Context::GLOBAL_INDEX)));
   __ mov(Operand(eax, Context::SlotOffset(Context::GLOBAL_INDEX)), ebx);
 
   // Initialize the rest of the slots to undefined.