Fix manual allocation folding of RegExpConstructResult.

R=mstarzinger@chromium.org
BUG=409533
LOG=N

Review URL: https://codereview.chromium.org/532453003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23543 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 5b2982b..b15de89 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -1855,9 +1855,11 @@ HValue* HGraphBuilder::BuildRegExpConstructResult(HValue* length,
   HAllocate* elements = BuildAllocateElements(elements_kind, size);
   BuildInitializeElementsHeader(elements, elements_kind, length);
 
-  HConstant* size_in_bytes_upper_bound = EstablishElementsAllocationSize(
-      elements_kind, max_length->Integer32Value());
-  elements->set_size_upper_bound(size_in_bytes_upper_bound);
+  if (!elements->has_size_upper_bound()) {
+    HConstant* size_in_bytes_upper_bound = EstablishElementsAllocationSize(
+        elements_kind, max_length->Integer32Value());
+    elements->set_size_upper_bound(size_in_bytes_upper_bound);
+  }
 
   Add<HStoreNamedField>(
       result, HObjectAccess::ForJSArrayOffset(JSArray::kElementsOffset),

diff --git a/test/mjsunit/regress/regress-409533.js b/test/mjsunit/regress/regress-409533.js
new file mode 100644 (file)
index 0000000..e51065e
--- /dev/null
+++ b/test/mjsunit/regress/regress-409533.js
@@ -0,0 +1,13 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  %_RegExpConstructResult(0, {}, {});
+}
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();