v8 crash in samegame

Pressing 'new game' in examples/demos/samegame leads to a sudden and messy v8 crash. This example has not changed recently, so this is a severe regression.

Change c511fa8a6a631e45ee4075453bcb2eeb7f01ba63 in qtjsbackend looks like it might be related.

Full crash output (although it is 100% reproduceable for me):
#

1. Fatal error in ../3rdparty/v8/src/stub-cache.cc, line 1171
2. CHECK(!CallIC::Contextual::decode( Code::ExtractExtraICStateFromFlags(flags))) failed
   #

==== Stack trace ============================================

Security context: 0x31328995 <JS Object>#0#
2: startNewGame file:///home/alpert/depot/qt/qtdeclarative/examples/demos/samegame/content/samegame.js:57 (this=0x3274ffcd <JS Object>#1#,gc=0x31308091 <undefined>)
3: onClicked file:///home/alpert/depot/qt/qtdeclarative/examples/demos/samegame/samegame-desktop.qml:~1 (this=0x31328a2d <JS Global Object>#2#)
7: /* anonymous */ [0x327296c1 <an Object>#3#:1] (this=0x327542c5 <JS Object>#4#)
8: onClicked file:///home/alpert/depot/qt/qtdeclarative/examples/demos/samegame/content/Button.qml:1 (this=0x31328a2d <JS Global Object>#2#)

==== Details ================================================

[2]: startNewGame file:///home/alpert/depot/qt/qtdeclarative/examples/demos/samegame/content/samegame.js:57 (this=0x3274ffcd <JS Object>#1#,gc=0x31308091 <undefined>) {
// stack-allocated locals
var i = 150
var column = 0
var row = 1
// expression stack (top to bottom)
[06] : 1
[05] : 0
[04] : 0x3274ffcd <JS Object>#1#
[03] : 0x327550d1 <JS array[168]>#5#
--------- s o u r c e c o d e ---------
function startNewGame(gc)?{? gameCanvas = gc;? // Delete blocks from previous game? for (var i = 0; i < maxIndex; i++) {? if (board[i] != null)? board[i].destroy();? }?? // Calculate board size? maxColumn = Math.floor(gameCanvas.width/gameCanvas.blockSize);? maxRow = Math.floor(gam...

-----------------------------------------
}

[3]: onClicked file:///home/alpert/depot/qt/qtdeclarative/examples/demos/samegame/samegame-desktop.qml:~1 (this=0x31328a2d <JS Global Object>#2#) {
// expression stack (top to bottom)
[02] : 0x31308091 <undefined>
[01] : 0x3274ffcd <JS Object>#1#
[00] : 0x3275239d <JS Function onClicked>#6#
--------- s o u r c e c o d e ---------
function onClicked()

-----------------------------------------
}

[7]: /* anonymous */ [0x327296c1 <an Object>#3#:1] (this=0x327542c5 <JS Object>#4#) {
// stack-allocated locals
var arguments = 0x327544a9 <an Arguments>#7#
// expression stack (top to bottom)
[08] : 0x3133eff1 <JS Function>#8#
[07] : 0x327544a9 <an Arguments>#7#
[06] : 0
[05] : 0x31308091 <undefined>
[04] : 39
[03] : 0x327542c5 <JS Object>#4#
[02] : 0x31328a2d <JS Global Object>#2#
[01] : 0x3133eff1 <JS Function>#8#
--------- s o u r c e c o d e ---------
function ()

-----------------------------------------
}

[8]: onClicked file:///home/alpert/depot/qt/qtdeclarative/examples/demos/samegame/content/Button.qml:1 (this=0x31328a2d <JS Global Object>#2#) {
// expression stack (top to bottom)
[01] : 0x327542c5 <JS Object>#4#
[00] : 0x32752191 <JS Function onClicked>#9#
--------- s o u r c e c o d e ---------
function onClicked()

-----------------------------------------
}

==== Key ============================================

#0# 0x31328995: 0x31328995 <JS Object>
#1# 0x3274ffcd: 0x3274ffcd <JS Object>
#2# 0x31328a2d: 0x31328a2d <JS Global Object>
#3# 0x327296c1: 0x327296c1 <an Object>
#4# 0x327542c5: 0x327542c5 <JS Object>
#5# 0x327550d1: 0x327550d1 <JS array[168]>
0: 0x32756bad <JS Object>#10#
...
#6# 0x3275239d: 0x3275239d <JS Function onClicked>
#7# 0x327544a9: 0x327544a9 <an Arguments>
callee: 0x32754485 <JS Function>#11#
length: 0
#8# 0x3133eff1: 0x3133eff1 <JS Function>
#9# 0x32752191: 0x32752191 <JS Function onClicked>
#10# 0x32756bad: 0x32756bad <JS Object>
#11# 0x32754485: 0x32754485 <JS Function>
=====================

Aborted