From: jochen Date: Mon, 1 Jun 2015 10:07:09 +0000 (-0700) Subject: Re-enable on-heap typed array allocation X-Git-Tag: upstream/4.7.83~2318 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f91df1f25dec4f1982c40af6118da8b699777475;p=platform%2Fupstream%2Fv8.git Re-enable on-heap typed array allocation BUG=v8:3996 R=mstarzinger@chromium.org LOG=y Review URL: https://codereview.chromium.org/1166433004 Cr-Commit-Position: refs/heads/master@{#28722} --- diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 30406d6..809640f 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -9727,8 +9727,18 @@ HValue* HGraphBuilder::BuildAllocateEmptyArrayBuffer(HValue* byte_length) { native_context, nullptr, HObjectAccess::ForContextSlot(Context::ARRAY_BUFFER_MAP_INDEX))); - Add(result, HObjectAccess::ForJSArrayBufferBackingStore(), - Add(ExternalReference())); + HConstant* empty_fixed_array = + Add(isolate()->factory()->empty_fixed_array()); + Add( + result, HObjectAccess::ForJSArrayOffset(JSArray::kPropertiesOffset), + empty_fixed_array); + Add( + result, HObjectAccess::ForJSArrayOffset(JSArray::kElementsOffset), + empty_fixed_array); + Add( + result, HObjectAccess::ForJSArrayBufferBackingStore().WithRepresentation( + Representation::Smi()), + graph()->GetConstant0()); Add(result, HObjectAccess::ForJSArrayBufferByteLength(), byte_length); Add(result, HObjectAccess::ForJSArrayBufferBitFieldSlot(), @@ -9935,7 +9945,7 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize( CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg))); HValue* obj = Pop(); - if (arguments->at(kArrayIdArg)->IsLiteral()) { + if (!arguments->at(kArrayIdArg)->IsLiteral()) { // This should never happen in real use, but can happen when fuzzing. // Just bail out. Bailout(kNeedSmiLiteral);