Fix the Array.push simulate for non-effect context.

R=danno@google.com, danno@chromium.org
BUG=

Review URL: https://codereview.chromium.org/246543007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20912 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 95e190e..331aac8 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -7830,7 +7830,10 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
                                                elements_kind, STORE,
                                                NEVER_RETURN_HOLE,
                                                STORE_AND_GROW_NO_TRANSITION);
+
+        if (!ast_context()->IsEffect()) Push(new_size);
         Add<HSimulate>(expr->id(), REMOVABLE_SIMULATE);
+        if (!ast_context()->IsEffect()) Drop(1);
       }
 
       ast_context()->ReturnValue(new_size);

diff --git a/test/mjsunit/array-push11.js b/test/mjsunit/array-push11.js
new file mode 100644 (file)
index 0000000..118161a
--- /dev/null
+++ b/test/mjsunit/array-push11.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_17(__v_9) {
+ var __v_10 = 0;
+ var count = 100000;
+ while (count-- != 0) {
+   var l = __v_9.push(0);
+   if (++__v_10 >= 2) return __v_9;
+   __v_10 = {};
+ }
+}
+
+__f_17([]);