[turbofan] Set elements kind to holey if constructing array of possibly non-zero length.

BUG=chromium:621147 Review-Url: https://codereview.chromium.org/2126623003 Cr-Commit-Position: refs/heads/master@{#37543}

[turbofan] Set elements kind to holey if constructing array of possibly non-zero length.
BUG=chromium:621147 Review-Url: https://codereview.chromium.org/2126623003 Cr-Commit-Position: refs/heads/master@{#37543}
7614362b · jarin · Commit bot · 0ff1ca3f · 7614362b · 7614362b
Commit 7614362b authored Jul 06, 2016 by jarin Committed by Commit bot Jul 06, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 0 deletions

js-create-lowering.cc src/compiler/js-create-lowering.cc +3 -0

regress-621147.js test/mjsunit/compiler/regress-621147.js +29 -0

No files found.
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@@ -473,6 +473,9 @@ Reduction JSCreateLowering::ReduceNewArray(Node* node, Node* length,
  PretenureFlag pretenure = site->GetPretenureMode();
  ElementsKind elements_kind = site->GetElementsKind();
  DCHECK(IsFastElementsKind(elements_kind));
+  if (NodeProperties::GetType(length)->Max() > 0) {
+    elements_kind = GetHoleyElementsKind(elements_kind);
+  }
  dependencies()->AssumeTenuringDecision(site);
  dependencies()->AssumeTransitionStable(site);


--- a/test/mjsunit/compiler/regress-621147.js
+++ b/test/mjsunit/compiler/regress-621147.js
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-filter=test2
+
+function test(n) {
+  return Array(n);
+}
+
+function test2() {
+  return test(2);
+}
+
+function test3(a) {
+  a[0] = 1;
+}
+
+test(0);
+
+var smi_array = [1,2];
+smi_array[2] = 3;
+test3(smi_array);
+
+%OptimizeFunctionOnNextCall(test2);
+
+var broken_array = test2();
+test3(broken_array);
+1+broken_array[0];