[builtins] Fix ArrayShift for double elements kind if head is the hole.

The code accidentally jumped over the actual left-shift part when the head of the array was the hole. Bug: chromium:752722 Change-Id: I300a3ebcfafb07d6ecebc01fa57c66eb26f349ac Reviewed-on: https://chromium-review.googlesource.com/603717Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#47204}

[builtins] Fix ArrayShift for double elements kind if head is the hole.
The code accidentally jumped over the actual left-shift part when the head of the array was the hole. Bug: chromium:752722 Change-Id: I300a3ebcfafb07d6ecebc01fa57c66eb26f349ac Reviewed-on: https://chromium-review.googlesource.com/603717Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#47204}
81778aaf · Tobias Tebbi · Commit Bot · 688689d3 · 81778aaf
Commit 81778aaf authored Aug 07, 2017 by Tobias Tebbi Committed by Commit Bot Aug 07, 2017
Show whitespace changes
Inline Side-by-side

Showing with 47 additions and 34 deletions

builtins-array-gen.cc src/builtins/builtins-array-gen.cc +47 -34

No files found.
--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@@ -1067,7 +1067,7 @@ TF_BUILTIN(FastArrayShift, CodeStubAssembler) {
                         LoadObjectField(receiver, JSArray::kLengthOffset)));
    Node* length = LoadAndUntagObjectField(receiver, JSArray::kLengthOffset);
    Label return_undefined(this), fast_elements_tagged(this),
-        fast_elements_untagged(this);
+        fast_elements_smi(this);
    GotoIf(IntPtrEqual(length, IntPtrConstant(0)), &return_undefined);

    // 2) Ensure that the length is writable.
@@ -1102,13 +1102,24 @@ TF_BUILTIN(FastArrayShift, CodeStubAssembler) {
    Node* elements_kind = LoadMapElementsKind(LoadMap(receiver));
    GotoIf(
        Int32LessThanOrEqual(elements_kind, Int32Constant(HOLEY_SMI_ELEMENTS)),
-        &fast_elements_untagged);
-    GotoIf(Int32LessThanOrEqual(elements_kind,
-                                Int32Constant(TERMINAL_FAST_ELEMENTS_KIND)),
+        &fast_elements_smi);
+    GotoIf(Int32LessThanOrEqual(elements_kind, Int32Constant(HOLEY_ELEMENTS)),
           &fast_elements_tagged);
-    Node* value = LoadFixedDoubleArrayElement(
+
+    // Fast double elements kind:
+    {
+      CSA_ASSERT(this,
+                 Int32LessThanOrEqual(elements_kind,
+                                      Int32Constant(HOLEY_DOUBLE_ELEMENTS)));
+
+      VARIABLE(result, MachineRepresentation::kTagged, UndefinedConstant());
+
+      Label move_elements(this);
+      result.Bind(AllocateHeapNumberWithValue(LoadFixedDoubleArrayElement(
          elements, IntPtrConstant(0), MachineType::Float64(), 0,
-        INTPTR_PARAMETERS, &return_undefined);
+          INTPTR_PARAMETERS, &move_elements)));
+      Goto(&move_elements);
+      BIND(&move_elements);

      int32_t header_size = FixedDoubleArray::kHeaderSize - kHeapObjectTag;
      Node* memmove =
@@ -1136,7 +1147,8 @@ TF_BUILTIN(FastArrayShift, CodeStubAssembler) {
                            IntPtrAdd(offset, IntPtrConstant(kPointerSize)),
                            double_hole);
      }
-    args.PopAndReturn(AllocateHeapNumberWithValue(value));
+      args.PopAndReturn(result.value());
+    }

    BIND(&fast_elements_tagged);
    {
@@ -1155,9 +1167,10 @@ TF_BUILTIN(FastArrayShift, CodeStubAssembler) {
      args.PopAndReturn(value);
    }

-    BIND(&fast_elements_untagged);
+    BIND(&fast_elements_smi);
    {
      Node* value = LoadFixedArrayElement(elements, 0);
+      int32_t header_size = FixedDoubleArray::kHeaderSize - kHeapObjectTag;
      Node* memmove =
          ExternalConstant(ExternalReference::libc_memmove_function(isolate()));
      Node* start = IntPtrAdd(