From d9ca45b1ca27a0adb5de70985ac2f5c62b739598 Mon Sep 17 00:00:00 2001 From: "mvstanton@chromium.org" Date: Wed, 13 Mar 2013 13:03:59 +0000 Subject: [PATCH] In ArrayConstructor_StubFailure the transition elements kind was ignored on allocation. BUG= Review URL: https://codereview.chromium.org/12767004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13931 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/builtins.cc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/builtins.cc b/src/builtins.cc index aa69203..f8d562b 100644 --- a/src/builtins.cc +++ b/src/builtins.cc @@ -203,12 +203,6 @@ RUNTIME_FUNCTION(MaybeObject*, ArrayConstructor_StubFailure) { holey = (value > 0 && value < JSObject::kInitialMaxFastElementArray); } - ASSERT(function->has_initial_map()); - ElementsKind kind = function->initial_map()->elements_kind(); - if (holey) { - kind = GetHoleyElementsKind(kind); - } - MaybeObject* maybe_array; if (*type_info != isolate->heap()->undefined_value()) { JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(*type_info); @@ -224,14 +218,20 @@ RUNTIME_FUNCTION(MaybeObject*, ArrayConstructor_StubFailure) { AllocationSiteMode mode = AllocationSiteInfo::GetMode(to_kind); if (mode == TRACK_ALLOCATION_SITE) { maybe_array = isolate->heap()->AllocateEmptyJSArrayWithAllocationSite( - kind, type_info); + to_kind, type_info); } else { - maybe_array = isolate->heap()->AllocateEmptyJSArray(kind); + maybe_array = isolate->heap()->AllocateEmptyJSArray(to_kind); } if (!maybe_array->To(&array)) return maybe_array; } } + ASSERT(function->has_initial_map()); + ElementsKind kind = function->initial_map()->elements_kind(); + if (holey) { + kind = GetHoleyElementsKind(kind); + } + if (array == NULL) { maybe_array = isolate->heap()->AllocateEmptyJSArray(kind); if (!maybe_array->To(&array)) return maybe_array; -- 2.7.4