Fix memento initialization when constructing from new call

src/x64/builtins-x64.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #if V8_TARGET_ARCH_X64
 
 #include "src/code-factory.h"
 #include "src/codegen.h"
@@ skipping 98 matching lines @@
   //  -- rdx: original constructor
   // -----------------------------------
 
   // Should never create mementos for api functions.
   DCHECK(!is_api_function || !create_memento);
 
   // Enter a construct frame.
   {
     FrameScope scope(masm, StackFrame::CONSTRUCT);
 
-    if (create_memento) {
-      __ AssertUndefinedOrAllocationSite(rbx);
-      __ Push(rbx);
-    }
+    // Always push a potential allocation site to preserve a fixed frame size.
+    __ AssertUndefinedOrAllocationSite(rbx);
+    __ Push(rbx);
 
     // Preserve the incoming parameters on the stack.
     __ Integer32ToSmi(rax, rax);
     __ Push(rax);
     __ Push(rdi);
     __ Push(rdx);
 
     // Try to allocate the object without transitioning into C code. If any of
     // the preconditions is not met, the code bails out to the runtime call.
     Label rt_call, allocated;
@@ skipping 114 matching lines @@
       }
       if (create_memento) {
         __ leap(rsi, Operand(rdi, -AllocationMemento::kSize));
         __ InitializeFieldsWithFiller(rcx, rsi, rdx);
 
         // Fill in memento fields if necessary.
         // rsi: points to the allocated but uninitialized memento.
         __ Move(Operand(rsi, AllocationMemento::kMapOffset),
                 factory->allocation_memento_map());
         // Get the cell or undefined.
-        __ movp(rdx, Operand(rsp, kPointerSize*2));
+        __ movp(rdx, Operand(rsp, 3 * kPointerSize));
+        __ AssertUndefinedOrAllocationSite(rdx);
         __ movp(Operand(rsi, AllocationMemento::kAllocationSiteOffset), rdx);
       } else {
         __ InitializeFieldsWithFiller(rcx, rdi, rdx);
       }
 
       // Add the object tag to make the JSObject real, so that we can continue
       // and jump into the continuation code at any time from now on.
       // rbx: JSObject (untagged)
       __ orp(rbx, Immediate(kHeapObjectTag));
 
@@ skipping 145 matching lines @@
 }
 
 
 void Builtins::Generate_JSConstructStubForDerived(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- rax: number of arguments
   //  -- rdi: constructor function
   //  -- rbx: allocation site or undefined
   //  -- rdx: original constructor
   // -----------------------------------
-  // TODO(dslomov): support pretenuring
-  CHECK(!FLAG_pretenuring_call_new);
 
   {
     FrameScope frame_scope(masm, StackFrame::CONSTRUCT);
 
+    // Always push a potential allocation site to preserve a fixed frame size.
+    __ AssertUndefinedOrAllocationSite(rbx);
+    __ Push(rbx);
+
     // Store a smi-tagged arguments count on the stack.
     __ Integer32ToSmi(rax, rax);
     __ Push(rax);
     __ SmiToInteger32(rax, rax);
 
     // Push new.target
     __ Push(rdx);
 
     // receiver is the hole.
     __ Push(masm->isolate()->factory()->the_hole_value());
@@ skipping 1268 matching lines @@
   __ ret(0);
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_X64