From f91df1f25dec4f1982c40af6118da8b699777475 Mon Sep 17 00:00:00 2001 From: jochen Date: Mon, 1 Jun 2015 03:07:09 -0700 Subject: [PATCH] Re-enable on-heap typed array allocation BUG=v8:3996 R=mstarzinger@chromium.org LOG=y Review URL: https://codereview.chromium.org/1166433004 Cr-Commit-Position: refs/heads/master@{#28722} --- src/hydrogen.cc | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 30406d6..809640f 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -9727,8 +9727,18 @@ HValue* HGraphBuilder::BuildAllocateEmptyArrayBuffer(HValue* byte_length) { native_context, nullptr, HObjectAccess::ForContextSlot(Context::ARRAY_BUFFER_MAP_INDEX))); - Add(result, HObjectAccess::ForJSArrayBufferBackingStore(), - Add(ExternalReference())); + HConstant* empty_fixed_array = + Add(isolate()->factory()->empty_fixed_array()); + Add( + result, HObjectAccess::ForJSArrayOffset(JSArray::kPropertiesOffset), + empty_fixed_array); + Add( + result, HObjectAccess::ForJSArrayOffset(JSArray::kElementsOffset), + empty_fixed_array); + Add( + result, HObjectAccess::ForJSArrayBufferBackingStore().WithRepresentation( + Representation::Smi()), + graph()->GetConstant0()); Add(result, HObjectAccess::ForJSArrayBufferByteLength(), byte_length); Add(result, HObjectAccess::ForJSArrayBufferBitFieldSlot(), @@ -9935,7 +9945,7 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize( CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg))); HValue* obj = Pop(); - if (arguments->at(kArrayIdArg)->IsLiteral()) { + if (!arguments->at(kArrayIdArg)->IsLiteral()) { // This should never happen in real use, but can happen when fuzzing. // Just bail out. Bailout(kNeedSmiLiteral); -- 2.7.4