Reland "Re-enable on-heap typed array allocation"

R=mstarzinger@chromium.org BUG=v8:3996 LOG=y Review URL: https://codereview.chromium.org/1144143006 Cr-Commit-Position: refs/heads/master@{#28729}

Reland "Re-enable on-heap typed array allocation"
R=mstarzinger@chromium.org BUG=v8:3996 LOG=y Review URL: https://codereview.chromium.org/1144143006 Cr-Commit-Position: refs/heads/master@{#28729}
65cd41e3 · jochen · Commit bot · f91c54fa · 65cd41e3 · 65cd41e3
Commit 65cd41e3 authored Jun 01, 2015 by jochen Committed by Commit bot Jun 01, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 4 deletions

bootstrapper.cc src/bootstrapper.cc +2 -1

hydrogen.cc src/hydrogen.cc +13 -3

No files found.
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1195,7 +1195,6 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> global_object,
            isolate->initial_object_prototype(),
            Builtins::kIllegal);
    native_context()->set_array_buffer_fun(*array_buffer_fun);
-    native_context()->set_array_buffer_map(array_buffer_fun->initial_map());
  }

  {  // -- T y p e d A r r a y s
@@ -2800,6 +2799,8 @@ bool Genesis::ConfigureGlobalObjects(

  native_context()->set_initial_array_prototype(
      JSArray::cast(native_context()->array_function()->prototype()));
+  native_context()->set_array_buffer_map(
+      native_context()->array_buffer_fun()->initial_map());

  return true;
 }

--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9727,8 +9727,18 @@ HValue* HGraphBuilder::BuildAllocateEmptyArrayBuffer(HValue* byte_length) {
          native_context, nullptr,
          HObjectAccess::ForContextSlot(Context::ARRAY_BUFFER_MAP_INDEX)));

-  Add<HStoreNamedField>(result, HObjectAccess::ForJSArrayBufferBackingStore(),
-                        Add<HConstant>(ExternalReference()));
+  HConstant* empty_fixed_array =
+      Add<HConstant>(isolate()->factory()->empty_fixed_array());
+  Add<HStoreNamedField>(
+      result, HObjectAccess::ForJSArrayOffset(JSArray::kPropertiesOffset),
+      empty_fixed_array);
+  Add<HStoreNamedField>(
+      result, HObjectAccess::ForJSArrayOffset(JSArray::kElementsOffset),
+      empty_fixed_array);
+  Add<HStoreNamedField>(
+      result, HObjectAccess::ForJSArrayBufferBackingStore().WithRepresentation(
+                  Representation::Smi()),
+      graph()->GetConstant0());
  Add<HStoreNamedField>(result, HObjectAccess::ForJSArrayBufferByteLength(),
                        byte_length);
  Add<HStoreNamedField>(result, HObjectAccess::ForJSArrayBufferBitFieldSlot(),
@@ -9935,7 +9945,7 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize(
  CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg)));
  HValue* obj = Pop();

-  if (arguments->at(kArrayIdArg)->IsLiteral()) {
+  if (!arguments->at(kArrayIdArg)->IsLiteral()) {
    // This should never happen in real use, but can happen when fuzzing.
    // Just bail out.
    Bailout(kNeedSmiLiteral);