A simple fix of issue http://code.google.com/p/chromium/issues/detail?id=3285...

src/builtins-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 36 matching lines @@
   __ JumpToBuiltin(ExternalReference(id));
 }
 
 
 void Builtins::Generate_JSConstructCall(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- eax: number of arguments
   //  -- edi: constructor function
   // -----------------------------------
 
+  Label non_function_call;
+  // Check that function is not a Smi.
+  __ test(edi, Immediate(kSmiTagMask));
+  __ j(zero, &non_function_call);
+  // Check that function is a JSFunction
+  __ CmpObjectType(edi, JS_FUNCTION_TYPE, ecx);
+  __ j(not_equal, &non_function_call);
+
   // Enter a construct frame.
   __ EnterConstructFrame();
-
   // Store a smi-tagged arguments count on the stack.
   __ shl(eax, kSmiTagSize);
   __ push(eax);
 
   // Push the function to invoke on the stack.
   __ push(edi);
 
   // Try to allocate the object without transitioning into C code. If any of the
   // preconditions is not met, the code bails out to the runtime call.
   Label rt_call, allocated;
   if (FLAG_inline_new) {
     Label undo_allocation;
     ExternalReference debug_step_in_fp =
         ExternalReference::debug_step_in_fp_address();
     __ cmp(Operand::StaticVariable(debug_step_in_fp), Immediate(0));
     __ j(not_equal, &rt_call);
-    // Check that function is not a Smi.
-    __ test(edi, Immediate(kSmiTagMask));
-    __ j(zero, &rt_call);
-    // Check that function is a JSFunction
-    __ CmpObjectType(edi, JS_FUNCTION_TYPE, eax);
-    __ j(not_equal, &rt_call);
 
     // Verified that the constructor is a JSFunction.
     // Load the initial map and verify that it is in fact a map.
     // edi: constructor
     __ mov(eax, FieldOperand(edi, JSFunction::kPrototypeOrInitialMapOffset));
     // Will both indicate a NULL and a Smi
     __ test(eax, Immediate(kSmiTagMask));
     __ j(zero, &rt_call);
     // edi: constructor
     // eax: initial map (if proven valid below)
@@ skipping 201 matching lines @@
   __ bind(&exit);
   __ mov(ebx, Operand(esp, kPointerSize));  // get arguments count
   __ LeaveConstructFrame();
 
   // Remove caller arguments from the stack and return.
   ASSERT(kSmiTagSize == 1 && kSmiTag == 0);
   __ pop(ecx);
   __ lea(esp, Operand(esp, ebx, times_2, 1 * kPointerSize));  // 1 ~ receiver
   __ push(ecx);
   __ ret(0);
+
+  // edi: called object
+  // eax: number of arguments
+  __ bind(&non_function_call);
+
+  __ xor_(ebx, Operand(ebx));

[Mads Ager (chromium), 2009/04/28 10:50:15]

Add a comment that this is setting the arguments count to zero?

[Kevin Millikin (Chromium), 2009/04/28 11:48:43]

Setting the expected number of arguments (not changing eax).  You can also write
Set(ebx, Immediate(0)).

+  __ GetBuiltinEntry(edx, Builtins::CALL_NON_FUNCTION);
+  __ jmp(Handle<Code>(builtin(ArgumentsAdaptorTrampoline)),
+    RelocInfo::CODE_TARGET);
 }
 
 
 static void Generate_JSEntryTrampolineHelper(MacroAssembler* masm,
                                              bool is_construct) {
   // Clear the context before we push it when entering the JS frame.
   __ xor_(esi, Operand(esi));  // clear esi
 
   // Enter an internal frame.
   __ EnterInternalFrame();
@@ skipping 434 matching lines @@
   // Dont adapt arguments.
   // -------------------------------------------
   __ bind(&dont_adapt_arguments);
   __ jmp(Operand(edx));
 }
 
 
 #undef __
 
 } }  // namespace v8::internal