[csa] Canonicalize empty elements in AllocateJSArray
Prior to this, AllocateJSArray would go ahead and allocate an empty FixedArray as elements if passed any capacity that is not a compile-time constant 0. Things break later on since we rely on the fact that empty fixed arrays are always canonicalize, and we use obj.elements == empty_fixed_array_constant interchangeably with obj.elements.length == 0. This CL introduces two new branches in AllocateJSArray: one if the capacity is known to be non-zero; and another that explicitly distinguishes between 0 and non-zero capacities. Bug: chromium:760790 Change-Id: I7c22b19ce9ce15a46f91b0f75e6b4a1ff3a29a0f Reviewed-on: https://chromium-review.googlesource.com/645959 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#47776}
Showing
Please
register
or
sign in
to comment