Initialize sub-array literals first before pointing to it.

BUG=484544
LOG=n

Review URL: https://codereview.chromium.org/1132763002

Cr-Commit-Position: refs/heads/master@{#28313}

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 2ac3d52..f226730 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -11338,13 +11338,16 @@ HInstruction* HOptimizedGraphBuilder::BuildFastLiteral(
     object_elements =
         Add<HAllocate>(object_elements_size, HType::HeapObject(),
                        pretenure_flag, instance_type, current_site);
-  }
-  BuildInitElementsInObjectHeader(boilerplate_object, object, object_elements);
-
-  // Copy object elements if non-COW.
-  if (object_elements != NULL) {
     BuildEmitElements(boilerplate_object, elements, object_elements,
                       site_context);
+    Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+                          object_elements);
+  } else {
+    Handle<Object> elements_field =
+        Handle<Object>(boilerplate_object->elements(), isolate());
+    HInstruction* object_elements_cow = Add<HConstant>(elements_field);
+    Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+                          object_elements_cow);
   }
 
   // Copy in-object properties.
@@ -11386,21 +11389,6 @@ void HOptimizedGraphBuilder::BuildEmitObjectHeader(
 }
 
 
-void HOptimizedGraphBuilder::BuildInitElementsInObjectHeader(
-    Handle<JSObject> boilerplate_object,
-    HInstruction* object,
-    HInstruction* object_elements) {
-  DCHECK(boilerplate_object->properties()->length() == 0);
-  if (object_elements == NULL) {
-    Handle<Object> elements_field =
-        Handle<Object>(boilerplate_object->elements(), isolate());
-    object_elements = Add<HConstant>(elements_field);
-  }
-  Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
-      object_elements);
-}
-
-
 void HOptimizedGraphBuilder::BuildEmitInObjectProperties(
     Handle<JSObject> boilerplate_object,
     HInstruction* object,

diff --git a/src/hydrogen.h b/src/hydrogen.h
index 3eb34a2..0feef24 100644 (file)
--- a/src/hydrogen.h
+++ b/src/hydrogen.h
@@ -2818,10 +2818,6 @@ class HOptimizedGraphBuilder : public HGraphBuilder, public AstVisitor {
   void BuildEmitObjectHeader(Handle<JSObject> boilerplate_object,
                              HInstruction* object);
 
-  void BuildInitElementsInObjectHeader(Handle<JSObject> boilerplate_object,
-                                       HInstruction* object,
-                                       HInstruction* object_elements);
-
   void BuildEmitInObjectProperties(Handle<JSObject> boilerplate_object,
                                    HInstruction* object,
                                    AllocationSiteUsageContext* site_context,

diff --git a/test/mjsunit/regress/regress-484544.js b/test/mjsunit/regress/regress-484544.js
new file mode 100644 (file)
index 0000000..709a890
--- /dev/null
+++ b/test/mjsunit/regress/regress-484544.js
@@ -0,0 +1,13 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --nouse-allocation-folding  --stress-compaction --predictable
+
+function f() {
+  return [[], [], [[], [], []]];
+}
+
+for (var i=0; i<10000; i++) {
+  f();
+}