[turbofan] check JSObject length in deoptimizer

Bug: Change-Id: I41442b9608b791d695dcb6324158bec994f34cee Reviewed-on: https://chromium-review.googlesource.com/500310Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#45199}

[turbofan] check JSObject length in deoptimizer
Bug: Change-Id: I41442b9608b791d695dcb6324158bec994f34cee Reviewed-on: https://chromium-review.googlesource.com/500310Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#45199}
cdbf01ff · Tobias Tebbi · Commit Bot · e118462f · cdbf01ff
Commit cdbf01ff authored May 09, 2017 by Tobias Tebbi Committed by Commit Bot May 09, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 14 deletions

deoptimizer.cc src/deoptimizer.cc +16 -14

No files found.
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3943,7 +3943,8 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
      Handle<Object> elements = materializer.FieldAt(value_index);
      object->set_properties(FixedArray::cast(*properties));
      object->set_elements(FixedArrayBase::cast(*elements));
-      for (int i = 0; i < length - 3; ++i) {
+      int in_object_properties = map->GetInObjectProperties();
+      for (int i = 0; i < in_object_properties; ++i) {
        Handle<Object> value = materializer.FieldAt(value_index);
        FieldIndex index = FieldIndex::ForPropertyIndex(object->map(), i);
        object->FastPropertyAtPut(index, *value);
@@ -4039,10 +4040,10 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
      slot->value_ = object;
      Handle<Object> properties = materializer.FieldAt(value_index);
      Handle<Object> elements = materializer.FieldAt(value_index);
-      Handle<Object> length = materializer.FieldAt(value_index);
+      Handle<Object> array_length = materializer.FieldAt(value_index);
      object->set_properties(FixedArray::cast(*properties));
      object->set_elements(FixedArrayBase::cast(*elements));
-      object->set_length(*length);
+      object->set_length(*array_length);
      return object;
    }
    case JS_FUNCTION_TYPE: {
@@ -4082,11 +4083,11 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
              .ToHandleChecked());
      slot->value_ = object;
      Handle<Object> hash = materializer.FieldAt(value_index);
-      Handle<Object> length = materializer.FieldAt(value_index);
+      Handle<Object> string_length = materializer.FieldAt(value_index);
      Handle<Object> first = materializer.FieldAt(value_index);
      Handle<Object> second = materializer.FieldAt(value_index);
      object->set_map(*map);
-      object->set_length(Smi::cast(*length)->value());
+      object->set_length(Smi::cast(*string_length)->value());
      object->set_first(String::cast(*first));
      object->set_second(String::cast(*second));
      CHECK(hash->IsNumber());  // The {Name::kEmptyHashField} value.
@@ -4106,15 +4107,16 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
    }
    case FIXED_ARRAY_TYPE: {
      Handle<Object> lengthObject = materializer.FieldAt(value_index);
-      int32_t length = 0;
+      int32_t array_length = 0;
-      CHECK(lengthObject->ToInt32(&length));
+      CHECK(lengthObject->ToInt32(&array_length));
-      Handle<FixedArray> object = isolate_->factory()->NewFixedArray(length);
+      Handle<FixedArray> object =
+          isolate_->factory()->NewFixedArray(array_length);
      // We need to set the map, because the fixed array we are
      // materializing could be a context or an arguments object,
      // in which case we must retain that information.
      object->set_map(*map);
      slot->value_ = object;
-      for (int i = 0; i < length; ++i) {
+      for (int i = 0; i < array_length; ++i) {
        Handle<Object> value = materializer.FieldAt(value_index);
        object->set(i, *value);
      }
@@ -4123,15 +4125,15 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
    case FIXED_DOUBLE_ARRAY_TYPE: {
      DCHECK_EQ(*map, isolate_->heap()->fixed_double_array_map());
      Handle<Object> lengthObject = materializer.FieldAt(value_index);
-      int32_t length = 0;
+      int32_t array_length = 0;
-      CHECK(lengthObject->ToInt32(&length));
+      CHECK(lengthObject->ToInt32(&array_length));
      Handle<FixedArrayBase> object =
-          isolate_->factory()->NewFixedDoubleArray(length);
+          isolate_->factory()->NewFixedDoubleArray(array_length);
      slot->value_ = object;
-      if (length > 0) {
+      if (array_length > 0) {
        Handle<FixedDoubleArray> double_array =
            Handle<FixedDoubleArray>::cast(object);
-        for (int i = 0; i < length; ++i) {
+        for (int i = 0; i < array_length; ++i) {
          Handle<Object> value = materializer.FieldAt(value_index);
          if (value.is_identical_to(isolate_->factory()->the_hole_value())) {
            double_array->set_the_hole(isolate_, i);