[turbofan] Workaround for unknown array literal length.

This fixes the existing workaround in {BytecodeGraphBuilder} where the
number of elements in an array literal is unknown just from the bytecode
alone and needs to be deduced from the constant elements.

Note that this is just a quick fix to prevent calling the fast-clone
stub for boilerplates that are too big to fit on a regular page. In the
long run we need something more solid here.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-669850
BUG=chromium:669850

Review-Url: https://codereview.chromium.org/2542633002
Cr-Commit-Position: refs/heads/master@{#41420}

src/compiler/bytecode-graph-builder.cc

@@ -1185,13 +1185,18 @@ void BytecodeGraphBuilder::VisitCreateArrayLiteral() {
   Handle<FixedArray> constant_elements = Handle<FixedArray>::cast(
       bytecode_iterator().GetConstantForIndexOperand(0));
   int literal_index = bytecode_iterator().GetIndexOperand(1);
-  int literal_flags = bytecode_iterator().GetFlagOperand(2);
+  int bytecode_flags = bytecode_iterator().GetFlagOperand(2);
+  int literal_flags =
+      interpreter::CreateArrayLiteralFlags::FlagsBits::decode(bytecode_flags);
   // Disable allocation site mementos. Only unoptimized code will collect
   // feedback about allocation site. Once the code is optimized we expect the
   // data to converge. So, we disable allocation site mementos in optimized
   // code. We can revisit this when we have data to the contrary.
   literal_flags |= ArrayLiteral::kDisableMementos;
-  int number_of_elements = constant_elements->length();
+  // TODO(mstarzinger): Thread through number of elements. The below number is
+  // only an estimate and does not match {ArrayLiteral::values::length}.
+  int number_of_elements =
+      FixedArrayBase::cast(constant_elements->get(1))->length();
   Node* literal = NewNode(
       javascript()->CreateLiteralArray(constant_elements, literal_flags,
                                        literal_index, number_of_elements),
@@ -1207,7 +1212,8 @@ void BytecodeGraphBuilder::VisitCreateObjectLiteral() {
   int bytecode_flags = bytecode_iterator().GetFlagOperand(2);
   int literal_flags =
       interpreter::CreateObjectLiteralFlags::FlagsBits::decode(bytecode_flags);
-  // TODO(mstarzinger): Thread through number of properties.
+  // TODO(mstarzinger): Thread through number of properties. The below number is
+  // only an estimate and does not match {ObjectLiteral::properties_count}.
   int number_of_properties = constant_properties->length() / 2;
   Node* literal = NewNode(
       javascript()->CreateLiteralObject(constant_properties, literal_flags,

test/mjsunit/regress/regress-crbug-669850.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo
+
+eval('function f(a) { return [' + new Array(1 << 17) + ',a] }');
+assertEquals(23, f(23)[1 << 17]);
+assertEquals(42, f(42)[1 << 17]);
+%OptimizeFunctionOnNextCall(f);
+assertEquals(65, f(65)[1 << 17]);