Fix inobject slack tracking for both subclassing and non-subclassing cases.

src/mips/builtins-mips.cc

Index: src/mips/builtins-mips.cc
diff --git a/src/mips/builtins-mips.cc b/src/mips/builtins-mips.cc
index 573e48a984df54bbbf1076a069fc63cdaa30e0b1..7db46e87721b9db4eae2737a211d3e36062800c6 100644
--- a/src/mips/builtins-mips.cc
+++ b/src/mips/builtins-mips.cc
@@ -393,35 +393,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
         __ lbu(t5, FieldMemOperand(a2, Map::kInstanceTypeOffset));
         __ Branch(&rt_call, eq, t5, Operand(JS_FUNCTION_TYPE));
 
-        if (!is_api_function) {
-          Label allocate;
-          MemOperand bit_field3 = FieldMemOperand(a2, Map::kBitField3Offset);
-          // Check if slack tracking is enabled.
-          __ lw(t0, bit_field3);
-          __ DecodeField<Map::Counter>(t2, t0);
-          __ Branch(&allocate, lt, t2, Operand(Map::kSlackTrackingCounterEnd));
-          // Decrease generous allocation count.
-          __ Subu(t0, t0, Operand(1 << Map::Counter::kShift));
-          __ Branch(USE_DELAY_SLOT, &allocate, ne, t2,
-                    Operand(Map::kSlackTrackingCounterEnd));
-          __ sw(t0, bit_field3);  // In delay slot.
-
-          // Push the constructor, new_target and map to the stack, and
-          // the map again as an argument to the runtime call.
-          __ Push(a1, a3, a2, a2);
-          __ CallRuntime(Runtime::kFinalizeInstanceSize, 1);
-
-          __ Pop(a1, a3, a2);
-          __ li(t2, Operand(Map::kSlackTrackingCounterEnd - 1));
-
-          __ bind(&allocate);
-        }
-
         // Now allocate the JSObject on the heap.
         // a1: constructor function
         // a2: initial map
         // a3: new target
-        // t2: slack tracking counter (non-API function case)
         __ lbu(t3, FieldMemOperand(a2, Map::kInstanceSizeOffset));
 
         __ Allocate(t3, t4, t3, t6, &rt_call, SIZE_IN_WORDS);
@@ -431,9 +406,8 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
         // a1: constructor function
         // a2: initial map
         // a3: new target
-        // t4: JSObject (not tagged)
+        // t4: JSObject (not HeapObject tagged - the actual address).
         // t3: start of next object
-        // t2: slack tracking counter (non-API function case)
         __ LoadRoot(t6, Heap::kEmptyFixedArrayRootIndex);
         __ mov(t5, t4);
         STATIC_ASSERT(0 * kPointerSize == JSObject::kMapOffset);
@@ -445,18 +419,28 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
         STATIC_ASSERT(3 * kPointerSize == JSObject::kHeaderSize);
         __ Addu(t5, t5, Operand(3 * kPointerSize));
 
+        // Add the object tag to make the JSObject real, so that we can continue
+        // and jump into the continuation code at any time from now on.
+        __ Addu(t4, t4, Operand(kHeapObjectTag));
+
         // Fill all the in-object properties with appropriate filler.
+        // t4: JSObject (tagged)
         // t5: First in-object property of JSObject (not tagged)
-
-        // Use t7 to hold undefined, which is used in several places below.
         __ LoadRoot(t7, Heap::kUndefinedValueRootIndex);
 
         if (!is_api_function) {
           Label no_inobject_slack_tracking;
 
+          MemOperand bit_field3 = FieldMemOperand(a2, Map::kBitField3Offset);
           // Check if slack tracking is enabled.
+          __ lw(t0, bit_field3);
+          __ DecodeField<Map::Counter>(t2, t0);
+          // t2: slack tracking counter
           __ Branch(&no_inobject_slack_tracking, lt, t2,
                     Operand(Map::kSlackTrackingCounterEnd));
+          // Decrease generous allocation count.
+          __ Subu(t0, t0, Operand(1 << Map::Counter::kShift));
+          __ sw(t0, bit_field3);
 
           // Allocate object with a slack.
           __ lbu(a0, FieldMemOperand(a2, Map::kUnusedPropertyFieldsOffset));
@@ -472,16 +456,28 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
           // To allow truncation fill the remaining fields with one pointer
           // filler map.
           __ LoadRoot(t7, Heap::kOnePointerFillerMapRootIndex);
+          __ InitializeFieldsWithFiller(t5, t3, t7);
+
+          // t2: slack tracking counter value before decreasing.
+          __ Branch(&allocated, ne, t2, Operand(Map::kSlackTrackingCounterEnd));
+
+          // Push the constructor, new_target and the object to the stack,
+          // and then the initial map as an argument to the runtime call.
+          __ Push(a1, a3, t4, a2);
+          __ CallRuntime(Runtime::kFinalizeInstanceSize, 1);
+          __ Pop(a1, a3, t4);
+
+          // Continue with JSObject being successfully allocated.
+          // a1: constructor function
+          // a3: new target
+          // t4: JSObject
+          __ jmp(&allocated);
 
           __ bind(&no_inobject_slack_tracking);
         }
 
         __ InitializeFieldsWithFiller(t5, t3, t7);
 
-        // Add the object tag to make the JSObject real, so that we can continue
-        // and jump into the continuation code at any time from now on.
-        __ Addu(t4, t4, Operand(kHeapObjectTag));
-
         // Continue with JSObject being successfully allocated.
         // a1: constructor function
         // a3: new target