- Fixed Issue 3201: Embedded Google Calendar crashes the renderer...

src/stub-cache-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 388 matching lines @@
   } else {
     code = Builtins::builtin(Builtins::KeyedLoadIC_Miss);
   }
 
   Handle<Code> ic(code);
   __ jmp(ic, RelocInfo::CODE_TARGET);
 }
 
 
 void StubCompiler::GenerateStoreField(MacroAssembler* masm,
+                                      Builtins::Name storage_extend,
                                       JSObject* object,
                                       int index,
                                       Map* transition,
                                       Register receiver_reg,
                                       Register name_reg,
                                       Register scratch,
                                       Label* miss_label) {
   // Check that the object isn't a smi.
   __ test(receiver_reg, Immediate(kSmiTagMask));
   __ j(zero, miss_label, not_taken);
 
   // Check that the map of the object hasn't changed.
   __ cmp(FieldOperand(receiver_reg, HeapObject::kMapOffset),
          Immediate(Handle<Map>(object->map())));
   __ j(not_equal, miss_label, not_taken);
 
   // Perform global security token check if needed.
   if (object->IsJSGlobalObject()) {
     __ CheckAccessGlobal(receiver_reg, scratch, miss_label);
   }
 
   // Stub never generated for non-global objects that require access
   // checks.
   ASSERT(object->IsJSGlobalObject() || !object->IsAccessCheckNeeded());
 
+  // Perform map transition for the receiver if necessary.
+  if ((transition != NULL) && (object->map()->unused_property_fields() == 0)) {
+    // The properties must be extended before we can store the value.
+    // We jump to a runtime call that extends the propeties array.
+    __ mov(Operand(ecx), Immediate(Handle<Map>(transition)));
+    Handle<Code> ic(Builtins::builtin(storage_extend));
+    __ jmp(ic, RelocInfo::CODE_TARGET);
+    return;
+  }
+
   // Get the properties array (optimistically).
   __ mov(scratch, FieldOperand(receiver_reg, JSObject::kPropertiesOffset));
-
-  // Perform map transition for the receiver if necessary.
   if (transition != NULL) {
-    if (object->map()->unused_property_fields() == 0) {
-      // The properties must be extended before we can store the value.
-      // We jump to a runtime call that extends the propeties array.
-      __ mov(Operand(ecx), Immediate(Handle<Map>(transition)));
-      Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_ExtendStorage));
-      __ jmp(ic, RelocInfo::CODE_TARGET);
-    } else {
-      // Update the map of the object; no write barrier updating is
-      // needed because the map is never in new space.
-      __ mov(FieldOperand(receiver_reg, HeapObject::kMapOffset),
-             Immediate(Handle<Map>(transition)));
-    }
+    // Update the map of the object; no write barrier updating is
+    // needed because the map is never in new space.
+    __ mov(FieldOperand(receiver_reg, HeapObject::kMapOffset),
+           Immediate(Handle<Map>(transition)));
   }
 
   // Write to the properties array.
   int offset = index * kPointerSize + Array::kHeaderSize;
   __ mov(FieldOperand(scratch, offset), eax);
 
   // Update the write barrier for the array address.
   // Pass the value being stored in the now unused name_reg.
   __ mov(name_reg, Operand(eax));
   __ RecordWrite(scratch, offset, name_reg, receiver_reg);
@@ skipping 269 matching lines @@
   //  -- esp[4] : receiver
   // -----------------------------------
 
   HandleScope scope;
   Label miss;
 
   // Get the object from the stack.
   __ mov(ebx, Operand(esp, 1 * kPointerSize));
 
   // Generate store field code.  Trashes the name register.
-  GenerateStoreField(masm(), object, index, transition, ebx, ecx, edx, &miss);
+  GenerateStoreField(masm(),
+                     Builtins::StoreIC_ExtendStorage,
+                     object,
+                     index,
+                     transition,
+                     ebx, ecx, edx,
+                     &miss);
 
   // Handle store cache miss.
   __ bind(&miss);
   __ mov(Operand(ecx), Immediate(Handle<String>(name)));  // restore name
   Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_Miss));
   __ jmp(ic, RelocInfo::CODE_TARGET);
 
   // Return the generated code.
   return GetCode(transition == NULL ? FIELD : MAP_TRANSITION);
 }
@@ skipping 129 matching lines @@
   // Get the name from the stack.
   __ mov(ecx, Operand(esp, 1 * kPointerSize));
   // Check that the name has not changed.
   __ cmp(Operand(ecx), Immediate(Handle<String>(name)));
   __ j(not_equal, &miss, not_taken);
 
   // Get the object from the stack.
   __ mov(ebx, Operand(esp, 2 * kPointerSize));
 
   // Generate store field code.  Trashes the name register.
-  GenerateStoreField(masm(), object, index, transition, ebx, ecx, edx, &miss);
+  GenerateStoreField(masm(),
+                     Builtins::KeyedStoreIC_ExtendStorage,
+                     object,
+                     index,
+                     transition,
+                     ebx, ecx, edx,
+                     &miss);
 
   // Handle store cache miss.
   __ bind(&miss);
   __ DecrementCounter(&Counters::keyed_store_field, 1);
   Handle<Code> ic(Builtins::builtin(Builtins::KeyedStoreIC_Miss));
   __ jmp(ic, RelocInfo::CODE_TARGET);
 
   // Return the generated code.
   return GetCode(transition == NULL ? FIELD : MAP_TRANSITION);
 }
@@ skipping 340 matching lines @@
   GenerateLoadMiss(masm(), Code::KEYED_LOAD_IC);
 
   // Return the generated code.
   return GetCode(CALLBACKS);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal