[builtins] When creating new elements array initialize with holes

When we create a new elements array we should initialize it with holes.
The capacity of the newly created elements array could be greater than
the actual length of the array and we expect the unused slots to be
filled with holes.

Bug: chromium:1070560
Change-Id: Ia365eed59859e36a9c8b9e27be34f93ab88942bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2150599
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67180}

src/builtins/array-splice.tq

@@ -3,28 +3,35 @@
 // found in the LICENSE file.
 
 namespace array {
-  // Given {elements}, we want to create a non-zero length array of type
-  // FixedArrayType. Most of this behavior is outsourced to ExtractFixedArray(),
-  // but the special case of wanting to have a FixedDoubleArray when given a
-  // zero-length input FixedArray is handled here.
+  // Given {source}, we want to create a non-zero length array of type
+  // FixedArrayType with the specified {result_capacity}. Starting from
+  // {startIndex}, {count} number of elements are copied to the newly
+  // created result array. Most of this behavior is outsourced to
+  // ExtractFixedArray(). We handle the case where the {source} is
+  // EmptyFixedArray but result is expected to be a FixedDoubleArray.
   macro Extract(implicit context: Context)(
-      elements: FixedArray, first: Smi, count: Smi, capacity: Smi): FixedArray {
+      source: FixedArray, startIndex: Smi, count: Smi,
+      resultCapacity: Smi): FixedArray {
     return ExtractFixedArray(
-        elements, Convert<intptr>(first), Convert<intptr>(count),
-        Convert<intptr>(capacity));
+        source, Convert<intptr>(startIndex), Convert<intptr>(count),
+        Convert<intptr>(resultCapacity));
   }
 
   macro Extract(implicit context: Context)(
-      elements: FixedDoubleArray|EmptyFixedArray, first: Smi, count: Smi,
-      capacity: Smi): FixedDoubleArray|EmptyFixedArray {
-    typeswitch (elements) {
+      source: FixedDoubleArray|EmptyFixedArray, startIndex: Smi, count: Smi,
+      resultCapacity: Smi): FixedDoubleArray|EmptyFixedArray {
+    typeswitch (source) {
       case (EmptyFixedArray): {
-        return AllocateZeroedFixedDoubleArray(Convert<intptr>(capacity));
+        // ExtractFixedDoubleArray expects {source} to be a FixedDoubleArray.
+        // Handle the case where {source} is empty here.
+        return AllocateFixedDoubleArrayWithHoles(
+            Convert<intptr>(resultCapacity),
+            AllocationFlag::kAllowLargeObjectAllocation);
       }
-      case (elements: FixedDoubleArray): {
+      case (source: FixedDoubleArray): {
         return ExtractFixedDoubleArray(
-            elements, Convert<intptr>(first), Convert<intptr>(count),
-            Convert<intptr>(capacity));
+            source, Convert<intptr>(startIndex), Convert<intptr>(count),
+            Convert<intptr>(resultCapacity));
       }
     }
   }

test/mjsunit/regress/regress-crbug-1070560.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {
+ // Create a FixedDoubleArray
+ var arr = [5.65];
+ // Force the elements to be EmptyFixedArray
+ arr.splice(0);
+ // This should create a FixedDoubleArray initialized with holes.
+ arr.splice(-4, 9, 10, 20);
+ // If the earlier spice didn't create a holes this would fail.
+ assertFalse(2 in arr);
+}
+
+f();