[builtins] Fix assertion in %TypedArray%.prototype.map

The assertion was too strict, not matching the check in JSTypedArray::Create. Delete the TODO because the code does not actually rely on the assertion for safety: EmitElementStore always performs a length check. Drive-by-fix: KeyedAccessStoreMode::STANDARD_STORE is equally safe and does one comparison less. Bug: chromium:724889 Change-Id: I988a4eb6ad36d35143a008f7289b075f5c05e7ed Reviewed-on: https://chromium-review.googlesource.com/517102Reviewed-by: Daniel Clifford <danno@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#45617}

[builtins] Fix assertion in %TypedArray%.prototype.map
The assertion was too strict, not matching the check in JSTypedArray::Create. Delete the TODO because the code does not actually rely on the assertion for safety: EmitElementStore always performs a length check. Drive-by-fix: KeyedAccessStoreMode::STANDARD_STORE is equally safe and does one comparison less. Bug: chromium:724889 Change-Id: I988a4eb6ad36d35143a008f7289b075f5c05e7ed Reviewed-on: https://chromium-review.googlesource.com/517102Reviewed-by: Daniel Clifford <danno@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#45617}
ec411b5d · Tobias Tebbi · Commit Bot · 6fb42018 · ec411b5d
Commit ec411b5d authored May 26, 2017 by Tobias Tebbi Committed by Commit Bot May 31, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 9 deletions

builtins-array-gen.cc src/builtins/builtins-array-gen.cc +6 -9

No files found.
--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@@ -168,11 +168,10 @@ class ArrayBuiltinCodeStubAssembler : public CodeStubAssembler {
    // 6. Let A be ? TypedArraySpeciesCreate(O, len).
    Node* a = TypedArraySpeciesCreateByLength(context(), o(), len_);
    // In the Spec and our current implementation, the length check is already
-    // performed in TypedArraySpeciesCreate. Repeating the check here to
-    // keep this invariant local.
-    // TODO(tebbi): Change this to a release mode check.
-    CSA_ASSERT(
-        this, WordEqual(len_, LoadObjectField(a, JSTypedArray::kLengthOffset)));
+    // performed in TypedArraySpeciesCreate.
+    CSA_ASSERT(this,
+               SmiLessThanOrEqual(
+                   len_, LoadObjectField(a, JSTypedArray::kLengthOffset)));
    fast_typed_array_target_ = Word32Equal(LoadInstanceType(LoadElements(o_)),
                                           LoadInstanceType(LoadElements(a)));
    a_.Bind(a);
@@ -269,10 +268,8 @@ class ArrayBuiltinCodeStubAssembler : public CodeStubAssembler {
    // #sec-integerindexedelementset 3. Let numValue be ? ToNumber(value).
    Node* num_value = ToNumber(context(), mappedValue);
    // The only way how this can bailout is because of a detached buffer.
-    EmitElementStore(
-        a(), k, num_value, false, source_elements_kind_,
-        KeyedAccessStoreMode::STORE_NO_TRANSITION_IGNORE_OUT_OF_BOUNDS,
-        &detached);
+    EmitElementStore(a(), k, num_value, false, source_elements_kind_,
+                     KeyedAccessStoreMode::STANDARD_STORE, &detached);
    Goto(&done);

    BIND(&slow);