[CSA] Fix assertion in CallOrConstructDoubleVarargs with empty FixedArray

Bug: chromium:850005 Change-Id: I287a274b86941e7d29705a24e479e4a02ecdfb07 Reviewed-on: https://chromium-review.googlesource.com/1088608Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#53546}

[CSA] Fix assertion in CallOrConstructDoubleVarargs with empty FixedArray
Bug: chromium:850005 Change-Id: I287a274b86941e7d29705a24e479e4a02ecdfb07 Reviewed-on: https://chromium-review.googlesource.com/1088608Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#53546}
cb29d620 · Camillo Bruni · Commit Bot · 555c811c · cb29d620 · cb29d620
Commit cb29d620 authored Jun 06, 2018 by Camillo Bruni Committed by Commit Bot Jun 06, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

builtins-call-gen.cc src/builtins/builtins-call-gen.cc +4 -0

regress-crbug-850005.js test/mjsunit/regress/regress-crbug-850005.js +11 -0

No files found.
--- a/src/builtins/builtins-call-gen.cc
+++ b/src/builtins/builtins-call-gen.cc
@@ -193,6 +193,7 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
    TNode<FixedArrayBase> elements = var_elements.value();
    TNode<Int32T> length = var_length.value();
+    GotoIf(Word32Equal(length, Int32Constant(0)), &if_not_double);
    Branch(IsFixedDoubleArray(elements), &if_double, &if_not_double);
    BIND(&if_not_double);
@@ -228,6 +229,7 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructDoubleVarargs(
  const ElementsKind new_kind = PACKED_ELEMENTS;
  const WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER;
  TNode<IntPtrT> intptr_length = ChangeInt32ToIntPtr(length);
+  CSA_ASSERT(this, WordNotEqual(intptr_length, IntPtrConstant(0)));
  // Allocate a new FixedArray of Objects.
  TNode<FixedArray> new_elements = AllocateFixedArray(
@@ -318,6 +320,7 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithSpread(
    TNode<JSArray> list = CAST(
        CallBuiltin(Builtins::kIterableToList, context, spread, iterator_fn));
    var_length = LoadAndUntagToWord32ObjectField(list, JSArray::kLengthOffset);
    var_elements = LoadElements(list);
    var_elements_kind = LoadElementsKind(list);
    Branch(Int32LessThan(var_elements_kind.value(),
@@ -345,6 +348,7 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithSpread(
  BIND(&if_double);
  {
+    GotoIf(Word32Equal(var_length.value(), Int32Constant(0)), &if_smiorobject);
    CallOrConstructDoubleVarargs(target, new_target, CAST(var_elements.value()),
                                 var_length.value(), args_count, context,
                                 var_elements_kind.value());

--- a/test/mjsunit/regress/regress-crbug-850005.js
+++ b/test/mjsunit/regress/regress-crbug-850005.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+let args = [3.34, ];
+function f(a, b, c) {};
+f(...args);
+args = args.splice();
+f(...args);
+args = [];
+f(...args);