Fix memento initialization when constructing from new call

src/ia32/builtins-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #if V8_TARGET_ARCH_IA32
 
 #include "src/code-factory.h"
 #include "src/codegen.h"
@@ skipping 99 matching lines @@
   //  -- edx: original constructor
   // -----------------------------------
 
   // Should never create mementos for api functions.
   DCHECK(!is_api_function || !create_memento);
 
   // Enter a construct frame.
   {
     FrameScope scope(masm, StackFrame::CONSTRUCT);
 
-    if (create_memento) {
-      __ AssertUndefinedOrAllocationSite(ebx);
-      __ push(ebx);
-    }
+    // Always push a potential allocation site to preserve a fixed frame size.

[Michael Starzinger, 2015/07/16 14:08:28]

nit: Ideally this behavior will become the default once we turn the flag on. So
I think it might even be fine to just drop this comment and move the push into
the block at line 124 without specifically mentioning the allocation site.
Applies to all architectures.

[Michael Lippautz, 2015/07/16 14:15:35]

Done.

+    __ AssertUndefinedOrAllocationSite(ebx);
+    __ push(ebx);
 
     // Preserve the incoming parameters on the stack.
     __ SmiTag(eax);
     __ push(eax);
     __ push(edi);
     __ push(edx);
 
     // Try to allocate the object without transitioning into C code. If any of
     // the preconditions is not met, the code bails out to the runtime call.
     Label rt_call, allocated;
@@ skipping 113 matching lines @@
 
       if (create_memento) {
         __ lea(esi, Operand(edi, -AllocationMemento::kSize));
         __ InitializeFieldsWithFiller(ecx, esi, edx);
 
         // Fill in memento fields if necessary.
         // esi: points to the allocated but uninitialized memento.
         __ mov(Operand(esi, AllocationMemento::kMapOffset),
                factory->allocation_memento_map());
         // Get the cell or undefined.
-        __ mov(edx, Operand(esp, kPointerSize*2));
+        __ mov(edx, Operand(esp, 3 * kPointerSize));

[Michael Starzinger, 2015/07/16 14:08:28]

Nice catch!

[Michael Lippautz, 2015/07/16 14:15:35]

Acknowledged.

+        __ AssertUndefinedOrAllocationSite(edx);
         __ mov(Operand(esi, AllocationMemento::kAllocationSiteOffset),
                edx);
       } else {
         __ InitializeFieldsWithFiller(ecx, edi, edx);
       }
 
       // Add the object tag to make the JSObject real, so that we can continue
       // and jump into the continuation code at any time from now on.
       // ebx: JSObject (untagged)
       __ or_(ebx, Immediate(kHeapObjectTag));
@@ skipping 147 matching lines @@
 
 
 void Builtins::Generate_JSConstructStubForDerived(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- eax: number of arguments
   //  -- edi: constructor function
   //  -- ebx: allocation site or undefined
   //  -- edx: original constructor
   // -----------------------------------
 
-  // TODO(dslomov): support pretenuring
-  CHECK(!FLAG_pretenuring_call_new);
-
   {
     FrameScope frame_scope(masm, StackFrame::CONSTRUCT);
 
+    // Always push a potential allocation site to preserve a fixed frame size.

[Michael Starzinger, 2015/07/16 14:08:28]

Likewise.

[Michael Lippautz, 2015/07/16 14:15:35]

Done.

+    __ AssertUndefinedOrAllocationSite(ebx);
+    __ push(ebx);
+
     // Preserve actual arguments count.
     __ SmiTag(eax);
     __ push(eax);
     __ SmiUntag(eax);
 
     // Push new.target.
     __ push(edx);
 
     // receiver is the hole.
     __ push(Immediate(masm->isolate()->factory()->the_hole_value()));
@@ skipping 1188 matching lines @@
 
   __ bind(&ok);
   __ ret(0);
 }
 
 #undef __
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_IA32