Bug 595706: fix object class guard for arguments length PIC, r=cdleary

--HG--
extra : rebase_source : 7aef085022eefa1a214fcacc3f9b92795be579c1

js/src/methodjit/PolyIC.cpp

@@ -791,7 +791,7 @@ class GetPropCompiler : public PICStubCompiler
         Assembler masm;
 
         Address clasp(pic.objReg, offsetof(JSObject, clasp));
-        Jump notArgs = masm.branchPtr(Assembler::NotEqual, clasp, ImmPtr(&js_SlowArrayClass));
+        Jump notArgs = masm.branchPtr(Assembler::NotEqual, clasp, ImmPtr(obj->getClass()));
 
         masm.load32(Address(pic.objReg,
                             offsetof(JSObject, fslots)
@@ -799,6 +799,7 @@ class GetPropCompiler : public PICStubCompiler
                     pic.objReg);
         masm.move(pic.objReg, pic.shapeReg);
         Jump overridden = masm.branchTest32(Assembler::NonZero, pic.shapeReg, Imm32(1));
+        masm.rshift32(Imm32(JSObject::ARGS_PACKED_BITS_COUNT), pic.objReg);
         
         masm.move(ImmType(JSVAL_TYPE_INT32), pic.shapeReg);
         Jump done = masm.jump();

js/src/trace-test/tests/pic/bug595706.js

@@ -0,0 +1,19 @@
+function f(useArg2, arg2, expect) {
+    var args = arguments;
+    if (useArg2)
+	args = arg2;
+
+    print(args)
+    assertEq(args.length, expect);
+}
+
+// Generate a PIC for arguments.
+f(false, 0, 3);
+f(false, 0, 3);
+f(false, 0, 3);
+
+// Now call it with a slow array.
+var a = [1, 2, 3];
+a.x = 9;
+
+f(true, a, 3);