Let Runtime_GrowArrayElements accept non-Smi numbers as |key|.

BUG=chromium:485410
LOG=y
R=mvstanton@chromium.org,danno@chromium.org

Review URL: https://codereview.chromium.org/1132113004

Cr-Commit-Position: refs/heads/master@{#28327}

diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc
index 95670d5..34f8735 100644 (file)
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -1223,7 +1223,7 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
   HandleScope scope(isolate);
   DCHECK(args.length() == 3);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
-  CONVERT_SMI_ARG_CHECKED(key, 1);
+  CONVERT_NUMBER_CHECKED(int, key, Int32, args[1]);
 
   if (key < 0) {
     return object->elements();

diff --git a/test/mjsunit/regress/regress-crbug-485410.js b/test/mjsunit/regress/regress-crbug-485410.js
new file mode 100644 (file)
index 0000000..55c9c43
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-485410.js
@@ -0,0 +1,23 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var doubles = new Float64Array(1);
+function ToHeapNumber(i) {
+  doubles[0] = i;
+  return doubles[0];
+}
+for (var i = 0; i < 3; i++) ToHeapNumber(i);
+%OptimizeFunctionOnNextCall(ToHeapNumber);
+assertFalse(%IsSmi(ToHeapNumber(1)));
+
+function Fail(a, i, v) {
+  a[i] = v;
+}
+
+for (var i = 0; i < 3; i++) Fail(new Array(1), 1, i);
+%OptimizeFunctionOnNextCall(Fail);
+// 1050 > JSObject::kMaxGap, causing stub failure and runtime call.
+Fail(new Array(1), ToHeapNumber(1050), 3);