• Peter Marshall's avatar
    [runtime] Use JSBuiltinsConstructStub for InternalArray · 1d597f03
    Peter Marshall authored
    Part of ongoing work to remove the construct_stub field of the SFI.
    
    Generate_InternalArrayConstructor was actually incorrect for packed
    internal arrays, where it would instead create a regular internal array
    because it loaded the constructor function from the context every time.
    
    Ultimately InternalArray should be removed, or the constructor ported
    to CSA in the meantime. But for now, it is off the critical path for
    the construct_stub removal.
    
    Also fix a bug: Runtime_NewArray expects a type_info parameter, which
    should be in rbx (on x64). Because we now go through
    JSBuiltinsConstructStubHelper first, rbx is loaded with a value that
    doesn't look like a heap object, which causes a crash in NewArray.
    Fix that by first loading undefined explicitly (which is what the
    ArrayConstructor builtin does already).
    
    Bug: v8:7503
    Change-Id: Ic92fa8864b0af2d32200eb0176ba55ccff03b114
    Reviewed-on: https://chromium-review.googlesource.com/970823
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#52072}
    1d597f03
builtins-ia32.cc 98.6 KB