Merged: [arm] Fix custom addition in MacroAssembler::[Fast]Allocate

test/mjsunit/regress/regress-crbug-663402.js

Index: test/mjsunit/regress/regress-crbug-663402.js
diff --git a/test/mjsunit/regress/regress-crbug-663402.js b/test/mjsunit/regress/regress-crbug-663402.js
new file mode 100644
index 0000000000000000000000000000000000000000..5368bd6e804a6dc2a323e33074796d25f4047512
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-663402.js
@@ -0,0 +1,40 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var g_eval = eval;
+function emit_f(size) {
+  var body = "function f(x) {" +
+             "  if (x < 0) return x;" +
+             "  var a = [1];" +
+             "  if (x > 0) return [";
+  for (var i = 0; i < size; i++) {
+    body += "0.1, ";
+  }
+  body += "  ];" +
+          "  return a;" +
+          "}";
+  g_eval(body);
+}
+
+// Length must be big enough to make the backing store's size not fit into
+// a single instruction's immediate field (2^12).
+var kLength = 701;
+emit_f(kLength);
+f(1);
+f(1);
+%OptimizeFunctionOnNextCall(f);
+var a = f(1);
+
+// Allocating something else should not disturb |a|.
+var b = new Object();
+for (var i = 0; i < kLength; i++) {
+  assertEquals(0.1, a[i]);
+}
+
+// Allocating more should not crash.
+for (var i = 0; i < 300; i++) {
+  f(1);
+}