From b2bea462454ff1b247812f3edc2e64a733d48034 Mon Sep 17 00:00:00 2001
From: "mvstanton@chromium.org"
 <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 17 Jan 2014 12:18:57 +0000
Subject: [PATCH] Minor bugfix in building inlined Array: bad argument to
 JSArrayBuilder.

An HConstant pointing to a Cell rather than an AllocationSite
was passed. The argument wasn't used because of fortuitous
flags. An assert was added to protect the argument.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/141533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/hydrogen.cc | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 8e2ac74..54e7ee8 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -2704,6 +2704,9 @@ HGraphBuilder::JSArrayBuilder::JSArrayBuilder(HGraphBuilder* builder,
         kind_(kind),
         allocation_site_payload_(allocation_site_payload),
         constructor_function_(constructor_function) {
+  ASSERT(!allocation_site_payload->IsConstant() ||
+         HConstant::cast(allocation_site_payload)->handle(
+             builder_->isolate())->IsAllocationSite());
   mode_ = override_mode == DISABLE_ALLOCATION_SITES
       ? DONT_TRACK_ALLOCATION_SITE
       : AllocationSite::GetMode(kind);
@@ -7944,10 +7947,10 @@ void HOptimizedGraphBuilder::BuildInlinedCallNewArray(CallNew* expr) {
   Handle<Cell> cell = expr->allocation_info_cell();
   Handle<AllocationSite> site(AllocationSite::cast(cell->value()));
 
-  // Register on the site for deoptimization if the cell value changes.
+  // Register on the site for deoptimization if the transition feedback changes.
   AllocationSite::AddDependentCompilationInfo(
       site, AllocationSite::TRANSITIONS, top_info());
-  HInstruction* cell_instruction = Add<HConstant>(cell);
+  HInstruction* site_instruction = Add<HConstant>(site);
 
   // In the single constant argument case, we may have to adjust elements kind
   // to avoid creating a packed non-empty array.
@@ -7966,7 +7969,7 @@ void HOptimizedGraphBuilder::BuildInlinedCallNewArray(CallNew* expr) {
   // Build the array.
   JSArrayBuilder array_builder(this,
                                kind,
-                               cell_instruction,
+                               site_instruction,
                                constructor,
                                DISABLE_ALLOCATION_SITES);
   HValue* new_object;
-- 
2.7.4