[ic] Fix elements conversion in KeyedStoreGeneric

A SmiUntag() was missing when loading the old backing store's length. BUG=chromium:664469 Review-Url: https://codereview.chromium.org/2492783004 Cr-Commit-Position: refs/heads/master@{#40921}

[ic] Fix elements conversion in KeyedStoreGeneric
A SmiUntag() was missing when loading the old backing store's length. BUG=chromium:664469 Review-Url: https://codereview.chromium.org/2492783004 Cr-Commit-Position: refs/heads/master@{#40921}
567904f1 · jkummerow · Commit bot · 55621742 · 567904f1 · 567904f1
Commit 567904f1 authored Nov 11, 2016 by jkummerow Committed by Commit bot Nov 11, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 1 deletion

keyed-store-generic.cc src/ic/keyed-store-generic.cc +1 -1

regress-crbug-664469.js test/mjsunit/regress/regress-crbug-664469.js +21 -0

No files found.
--- a/src/ic/keyed-store-generic.cc
+++ b/src/ic/keyed-store-generic.cc
@@ -139,7 +139,7 @@ void KeyedStoreGenericAssembler::TryRewriteElements(
  {
    if (IsFastDoubleElementsKind(from_kind) !=
        IsFastDoubleElementsKind(to_kind)) {
-      Node* capacity = LoadFixedArrayBaseLength(elements);
+      Node* capacity = SmiUntag(LoadFixedArrayBaseLength(elements));
      GrowElementsCapacity(receiver, elements, from_kind, to_kind, capacity,
                           capacity, INTPTR_PARAMETERS, bailout);
    }

--- a/test/mjsunit/regress/regress-crbug-664469.js
+++ b/test/mjsunit/regress/regress-crbug-664469.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f(a, i) {
+  a[i] = "object";
+}
+
+f("make it generic", 0);
+
+// Nearly kMaxRegularHeapObjectSize's worth of doubles.
+var kLength = 500000 / 8;
+var kValue = 0.1;
+var a = new Array(kLength);
+for (var i = 0; i < kLength; i++) {
+  a[i] = kValue;
+}
+f(a, 0);
+for (var i = 1; i < kLength; i++) {
+  assertEquals(kValue, a[i]);
+}