[torque] only expose safe FixedArray allocation

drive-by change: fix wrong typing in CSA. Change-Id: I9234306e8568a64157b44a86a58f09e65116b298 Reviewed-on: https://chromium-review.googlesource.com/1172583 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55093}
2018-08-13 17:08:55 +02:00 · 2018-08-13 17:08:55 +02:00 · 2aa47b67dd
commit 2aa47b67dd
parent 11e3467455
17 changed files with 126 additions and 80 deletions
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@ -62,7 +62,6 @@ type ExtractFixedArrayFlags generates
 'TNode<Smi>' constexpr 'ExtractFixedArrayFlags';
 type ParameterMode generates 'TNode<Int32T>' constexpr 'ParameterMode';
 type RootListIndex generates 'TNode<Int32T>' constexpr 'Heap::RootListIndex';
-type AllocationFlags generates 'TNode<Int32T>' constexpr 'AllocationFlags';
 type WriteBarrierMode generates 'TNode<Int32T>' constexpr 'WriteBarrierMode';

 type MessageTemplate constexpr 'MessageTemplate::Template';
@ -164,8 +163,6 @@ const kSloppy: constexpr LanguageMode generates 'LanguageMode::kSloppy';
 const SMI_PARAMETERS: constexpr ParameterMode generates 'SMI_PARAMETERS';
 const INTPTR_PARAMETERS: constexpr ParameterMode generates 'INTPTR_PARAMETERS';

-const kAllowLargeObjectAllocation: constexpr AllocationFlags
-    generates 'kAllowLargeObjectAllocation';

 const SKIP_WRITE_BARRIER: constexpr WriteBarrierMode
    generates 'SKIP_WRITE_BARRIER';
@ -673,9 +670,8 @@ extern macro IsFastSmiOrTaggedElementsKind(ElementsKind): bool;
 extern macro IsFastSmiElementsKind(ElementsKind): bool;
 extern macro IsHoleyFastElementsKind(ElementsKind): bool;

-extern macro AllocateFixedArray(constexpr ElementsKind, intptr): FixedArray;
-extern macro AllocateFixedArray(constexpr ElementsKind, intptr,
-    constexpr ParameterMode, constexpr AllocationFlags): FixedArray;
+extern macro AllocateZeroedFixedArray(intptr): FixedArray;
+extern macro AllocateZeroedFixedDoubleArray(intptr): FixedDoubleArray;

 extern macro CopyFixedArrayElements(
    constexpr ElementsKind, FixedArray, constexpr ElementsKind, FixedArray,
--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@ -382,28 +382,6 @@ Node* ArrayBuiltinsAssembler::FindProcessor(Node* k_value, Node* k) {

  void ArrayBuiltinsAssembler::NullPostLoopAction() {}

-  void ArrayBuiltinsAssembler::FillFixedArrayWithSmiZero(
-      TNode<FixedArray> array, TNode<Smi> smi_length) {
-    CSA_ASSERT(this, Word32BinaryNot(IsFixedDoubleArray(array)));
-
-    TNode<IntPtrT> length = SmiToIntPtr(smi_length);
-    TNode<WordT> byte_length = TimesPointerSize(length);
-    CSA_ASSERT(this, UintPtrLessThan(length, byte_length));
-
-    static const int32_t fa_base_data_offset =
-        FixedArray::kHeaderSize - kHeapObjectTag;
-    TNode<IntPtrT> backing_store = IntPtrAdd(
-        BitcastTaggedToWord(array), IntPtrConstant(fa_base_data_offset));
-
-    // Call out to memset to perform initialization.
-    TNode<ExternalReference> memset =
-        ExternalConstant(ExternalReference::libc_memset_function());
-    STATIC_ASSERT(kSizetSize == kIntptrSize);
-    CallCFunction3(MachineType::Pointer(), MachineType::Pointer(),
-                   MachineType::IntPtr(), MachineType::UintPtr(), memset,
-                   backing_store, IntPtrConstant(0), byte_length);
-  }
-
  void ArrayBuiltinsAssembler::ReturnFromBuiltin(Node* value) {
    if (argc_ == nullptr) {
      Return(value);
@ -3750,7 +3728,7 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
           &allocate_iterator_result);

    TNode<FixedArray> elements =
-        AllocateFixedArray(PACKED_ELEMENTS, IntPtrConstant(2));
+        CAST(AllocateFixedArray(PACKED_ELEMENTS, IntPtrConstant(2)));
    StoreFixedArrayElement(elements, 0, index, SKIP_WRITE_BARRIER);
    StoreFixedArrayElement(elements, 1, var_value.value(), SKIP_WRITE_BARRIER);

--- a/src/builtins/builtins-array-gen.h
+++ b/src/builtins/builtins-array-gen.h
@ -68,10 +68,6 @@ class ArrayBuiltinsAssembler : public BaseBuiltinsFromDSLAssembler {

  void NullPostLoopAction();

-  // Uses memset to effectively initialize the given FixedArray with Smi zeroes.
-  void FillFixedArrayWithSmiZero(TNode<FixedArray> array,
-                                 TNode<Smi> smi_length);
-
 protected:
  TNode<Context> context() { return context_; }
  TNode<Object> receiver() { return receiver_; }
--- a/src/builtins/builtins-call-gen.cc
+++ b/src/builtins/builtins-call-gen.cc
@ -244,8 +244,8 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructDoubleVarargs(
  CSA_ASSERT(this, WordNotEqual(intptr_length, IntPtrConstant(0)));

  // Allocate a new FixedArray of Objects.
-  TNode<FixedArray> new_elements = AllocateFixedArray(
-      new_kind, intptr_length, CodeStubAssembler::kAllowLargeObjectAllocation);
+  TNode<FixedArray> new_elements = CAST(AllocateFixedArray(
+      new_kind, intptr_length, CodeStubAssembler::kAllowLargeObjectAllocation));
  Branch(Word32Equal(kind, Int32Constant(HOLEY_DOUBLE_ELEMENTS)),
         [=] {
           // Fill the FixedArray with pointers to HeapObjects.
--- a/src/builtins/builtins-collections-gen.cc
+++ b/src/builtins/builtins-collections-gen.cc
@ -2062,8 +2062,8 @@ TNode<Object> WeakCollectionsBuiltinsAssembler::AllocateTable(

  // See HashTable::NewInternal().
  TNode<IntPtrT> length = KeyIndexFromEntry(capacity);
-  TNode<FixedArray> table =
-      AllocateFixedArray(HOLEY_ELEMENTS, length, kAllowLargeObjectAllocation);
+  TNode<FixedArray> table = CAST(
+      AllocateFixedArray(HOLEY_ELEMENTS, length, kAllowLargeObjectAllocation));

  Heap::RootListIndex map_root_index = static_cast<Heap::RootListIndex>(
      EphemeronHashTableShape::GetMapRootIndex());
--- a/src/builtins/builtins-function-gen.cc
+++ b/src/builtins/builtins-function-gen.cc
@ -123,8 +123,8 @@ TF_BUILTIN(FastFunctionPrototypeBind, CodeStubAssembler) {
    GotoIf(Uint32LessThanOrEqual(argc, Int32Constant(1)), &empty_arguments);
    TNode<IntPtrT> elements_length =
        Signed(ChangeUint32ToWord(Unsigned(Int32Sub(argc, Int32Constant(1)))));
-    TNode<FixedArray> elements = AllocateFixedArray(
-        PACKED_ELEMENTS, elements_length, kAllowLargeObjectAllocation);
+    TNode<FixedArray> elements = CAST(AllocateFixedArray(
+        PACKED_ELEMENTS, elements_length, kAllowLargeObjectAllocation));
    VARIABLE(index, MachineType::PointerRepresentation());
    index.Bind(IntPtrConstant(0));
    VariableList foreach_vars({&index}, zone());
--- a/src/builtins/builtins-internal-gen.cc
+++ b/src/builtins/builtins-internal-gen.cc
@ -101,7 +101,7 @@ TF_BUILTIN(NewArgumentsElements, CodeStubAssembler) {
    BIND(&if_notempty);
    {
      // Allocate a FixedArray in new space.
-      TNode<FixedArray> result = AllocateFixedArray(kind, length);
+      TNode<FixedArray> result = CAST(AllocateFixedArray(kind, length));

      // The elements might be used to back mapped arguments. In that case fill
      // the mapped elements (i.e. the first {mapped_count}) with the hole, but
@ -845,7 +845,7 @@ TF_BUILTIN(EnqueueMicrotask, InternalBuiltinsAssembler) {
      // This is the likely case where the new queue fits into new space,
      // and thus we don't need any write barriers for initializing it.
      TNode<FixedArray> new_queue =
-          AllocateFixedArray(PACKED_ELEMENTS, new_queue_length);
+          CAST(AllocateFixedArray(PACKED_ELEMENTS, new_queue_length));
      CopyFixedArrayElements(PACKED_ELEMENTS, queue, new_queue, num_tasks,
                             SKIP_WRITE_BARRIER);
      StoreFixedArrayElement(new_queue, num_tasks, microtask,
@ -859,9 +859,9 @@ TF_BUILTIN(EnqueueMicrotask, InternalBuiltinsAssembler) {
    BIND(&if_lospace);
    {
      // The fallback case where the new queue ends up in large object space.
-      TNode<FixedArray> new_queue = AllocateFixedArray(
+      TNode<FixedArray> new_queue = CAST(AllocateFixedArray(
          PACKED_ELEMENTS, new_queue_length, INTPTR_PARAMETERS,
-          AllocationFlag::kAllowLargeObjectAllocation);
+          AllocationFlag::kAllowLargeObjectAllocation));
      CopyFixedArrayElements(PACKED_ELEMENTS, queue, new_queue, num_tasks);
      StoreFixedArrayElement(new_queue, num_tasks, microtask);
      FillFixedArrayWithValue(PACKED_ELEMENTS, new_queue, new_num_tasks,
--- a/src/builtins/builtins-object-gen.cc
+++ b/src/builtins/builtins-object-gen.cc
@ -293,8 +293,8 @@ TNode<JSArray> ObjectEntriesValuesBuiltinsAssembler::FastGetOwnValuesOrEntries(
  BIND(&if_has_enum_cache);
  {
    GotoIf(WordEqual(object_enum_length, IntPtrConstant(0)), if_no_properties);
-    TNode<FixedArray> values_or_entries = AllocateFixedArray(
-        PACKED_ELEMENTS, object_enum_length, kAllowLargeObjectAllocation);
+    TNode<FixedArray> values_or_entries = CAST(AllocateFixedArray(
+        PACKED_ELEMENTS, object_enum_length, kAllowLargeObjectAllocation));

    // If in case we have enum_cache,
    // we can't detect accessor of object until loop through descriptors.
--- a/src/builtins/builtins-promise-gen.cc
+++ b/src/builtins/builtins-promise-gen.cc
@ -2119,8 +2119,8 @@ TF_BUILTIN(PromiseAllResolveElementClosure, PromiseBuiltinsAssembler) {
      CSA_ASSERT(this, IntPtrLessThan(index, new_elements_length));
      CSA_ASSERT(this, IntPtrLessThan(elements_length, new_elements_length));
      TNode<FixedArray> new_elements =
-          AllocateFixedArray(PACKED_ELEMENTS, new_elements_length,
-                             AllocationFlag::kAllowLargeObjectAllocation);
+          CAST(AllocateFixedArray(PACKED_ELEMENTS, new_elements_length,
+                                  AllocationFlag::kAllowLargeObjectAllocation));
      CopyFixedArrayElements(PACKED_ELEMENTS, elements, PACKED_ELEMENTS,
                             new_elements, elements_length,
                             new_elements_length);
--- a/src/builtins/builtins-string-gen.cc
+++ b/src/builtins/builtins-string-gen.cc
@ -1837,8 +1837,8 @@ TNode<JSArray> StringBuiltinsAssembler::StringToArray(

    ToDirectStringAssembler to_direct(state(), subject_string);
    to_direct.TryToDirect(&call_runtime);
-    TNode<FixedArray> elements = AllocateFixedArray(
-        PACKED_ELEMENTS, length, AllocationFlag::kAllowLargeObjectAllocation);
+    TNode<FixedArray> elements = CAST(AllocateFixedArray(
+        PACKED_ELEMENTS, length, AllocationFlag::kAllowLargeObjectAllocation));
    // Don't allocate anything while {string_data} is live!
    TNode<RawPtrT> string_data = UncheckedCast<RawPtrT>(
        to_direct.PointerToData(&fill_thehole_and_call_runtime));
--- a/src/builtins/growable-fixed-array-gen.cc
+++ b/src/builtins/growable-fixed-array-gen.cc
@ -90,8 +90,8 @@ TNode<FixedArray> GrowableFixedArray::ResizeFixedArray(

  CodeStubAssembler::ExtractFixedArrayFlags flags;
  flags |= CodeStubAssembler::ExtractFixedArrayFlag::kFixedArrays;
-  TNode<FixedArray> to_array = ExtractFixedArray(
-      from_array, nullptr, element_count, new_capacity, flags);
+  TNode<FixedArray> to_array = CAST(ExtractFixedArray(
+      from_array, nullptr, element_count, new_capacity, flags));

  return to_array;
 }
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@ -3325,8 +3325,8 @@ Node* CodeStubAssembler::AllocateOrderedHashTable() {
  TNode<Map> fixed_array_map = CAST(LoadRoot(
      static_cast<Heap::RootListIndex>(CollectionType::GetMapRootIndex())));
  TNode<FixedArray> table =
-      AllocateFixedArray(elements_kind, length_intptr,
-                         kAllowLargeObjectAllocation, fixed_array_map);
+      CAST(AllocateFixedArray(elements_kind, length_intptr,
+                              kAllowLargeObjectAllocation, fixed_array_map));

  // Initialize the OrderedHashTable fields.
  const WriteBarrierMode barrier_mode = SKIP_WRITE_BARRIER;
@ -3860,7 +3860,7 @@ Node* CodeStubAssembler::CloneFastJSArray(Node* context, Node* array,
  return result;
 }

-TNode<FixedArray> CodeStubAssembler::AllocateFixedArray(
+TNode<FixedArrayBase> CodeStubAssembler::AllocateFixedArray(
    ElementsKind kind, Node* capacity, ParameterMode mode,
    AllocationFlags flags, SloppyTNode<Map> fixed_array_map) {
  Comment("AllocateFixedArray");
@ -3896,7 +3896,7 @@ TNode<FixedArray> CodeStubAssembler::AllocateFixedArray(
  return UncheckedCast<FixedArray>(array);
 }

-TNode<FixedArray> CodeStubAssembler::ExtractFixedArray(
+TNode<FixedArrayBase> CodeStubAssembler::ExtractFixedArray(
    Node* fixed_array, Node* first, Node* count, Node* capacity,
    ExtractFixedArrayFlags extract_flags, ParameterMode parameter_mode) {
  VARIABLE(var_result, MachineRepresentation::kTagged);
@ -4122,6 +4122,48 @@ void CodeStubAssembler::FillFixedArrayWithValue(
      mode);
 }

+void CodeStubAssembler::FillFixedArrayWithSmiZero(TNode<FixedArray> array,
+                                                  TNode<IntPtrT> length) {
+  CSA_ASSERT(this, WordEqual(length, LoadAndUntagFixedArrayBaseLength(array)));
+
+  TNode<IntPtrT> byte_length = TimesPointerSize(length);
+  CSA_ASSERT(this, UintPtrLessThan(length, byte_length));
+
+  static const int32_t fa_base_data_offset =
+      FixedArray::kHeaderSize - kHeapObjectTag;
+  TNode<IntPtrT> backing_store = IntPtrAdd(BitcastTaggedToWord(array),
+                                           IntPtrConstant(fa_base_data_offset));
+
+  // Call out to memset to perform initialization.
+  TNode<ExternalReference> memset =
+      ExternalConstant(ExternalReference::libc_memset_function());
+  STATIC_ASSERT(kSizetSize == kIntptrSize);
+  CallCFunction3(MachineType::Pointer(), MachineType::Pointer(),
+                 MachineType::IntPtr(), MachineType::UintPtr(), memset,
+                 backing_store, IntPtrConstant(0), byte_length);
+}
+
+void CodeStubAssembler::FillFixedDoubleArrayWithZero(
+    TNode<FixedDoubleArray> array, TNode<IntPtrT> length) {
+  CSA_ASSERT(this, WordEqual(length, LoadAndUntagFixedArrayBaseLength(array)));
+
+  TNode<IntPtrT> byte_length = TimesDoubleSize(length);
+  CSA_ASSERT(this, UintPtrLessThan(length, byte_length));
+
+  static const int32_t fa_base_data_offset =
+      FixedDoubleArray::kHeaderSize - kHeapObjectTag;
+  TNode<IntPtrT> backing_store = IntPtrAdd(BitcastTaggedToWord(array),
+                                           IntPtrConstant(fa_base_data_offset));
+
+  // Call out to memset to perform initialization.
+  TNode<ExternalReference> memset =
+      ExternalConstant(ExternalReference::libc_memset_function());
+  STATIC_ASSERT(kSizetSize == kIntptrSize);
+  CallCFunction3(MachineType::Pointer(), MachineType::Pointer(),
+                 MachineType::IntPtr(), MachineType::UintPtr(), memset,
+                 backing_store, IntPtrConstant(0), byte_length);
+}
+
 void CodeStubAssembler::CopyFixedArrayElements(
    ElementsKind from_kind, Node* from_array, ElementsKind to_kind,
    Node* to_array, Node* first_element, Node* element_count, Node* capacity,
@ -4887,8 +4929,12 @@ TNode<UintPtrT> CodeStubAssembler::ChangeNonnegativeNumberToUintPtr(
  return result.value();
 }

-SloppyTNode<WordT> CodeStubAssembler::TimesPointerSize(Node* value) {
-  return WordShl(value, IntPtrConstant(kPointerSizeLog2));
+TNode<WordT> CodeStubAssembler::TimesPointerSize(SloppyTNode<WordT> value) {
+  return WordShl(value, kPointerSizeLog2);
+}
+
+TNode<WordT> CodeStubAssembler::TimesDoubleSize(SloppyTNode<WordT> value) {
+  return WordShl(value, kDoubleSizeLog2);
 }

 Node* CodeStubAssembler::ToThisValue(Node* context, Node* value,
--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@ -1387,18 +1387,35 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
                           Node* capacity = nullptr,
                           Node* allocation_site = nullptr);

-  TNode<FixedArray> AllocateFixedArray(
+  TNode<FixedArrayBase> AllocateFixedArray(
      ElementsKind kind, Node* capacity, ParameterMode mode = INTPTR_PARAMETERS,
      AllocationFlags flags = kNone,
      SloppyTNode<Map> fixed_array_map = nullptr);

-  TNode<FixedArray> AllocateFixedArray(
+  TNode<FixedArrayBase> AllocateFixedArray(
      ElementsKind kind, TNode<IntPtrT> capacity, AllocationFlags flags,
      SloppyTNode<Map> fixed_array_map = nullptr) {
    return AllocateFixedArray(kind, capacity, INTPTR_PARAMETERS, flags,
                              fixed_array_map);
  }

+  TNode<FixedArray> AllocateZeroedFixedArray(TNode<IntPtrT> capacity) {
+    TNode<FixedArray> result = UncheckedCast<FixedArray>(
+        AllocateFixedArray(PACKED_ELEMENTS, capacity,
+                           AllocationFlag::kAllowLargeObjectAllocation));
+    FillFixedArrayWithSmiZero(result, capacity);
+    return result;
+  }
+
+  TNode<FixedDoubleArray> AllocateZeroedFixedDoubleArray(
+      TNode<IntPtrT> capacity) {
+    TNode<FixedDoubleArray> result = UncheckedCast<FixedDoubleArray>(
+        AllocateFixedArray(FLOAT64_ELEMENTS, capacity,
+                           AllocationFlag::kAllowLargeObjectAllocation));
+    FillFixedDoubleArrayWithZero(result, capacity);
+    return result;
+  }
+
  Node* AllocatePropertyArray(Node* capacity,
                              ParameterMode mode = INTPTR_PARAMETERS,
                              AllocationFlags flags = kNone);
@ -1419,6 +1436,12 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
                               Heap::RootListIndex value_root_index,
                               ParameterMode mode = INTPTR_PARAMETERS);

+  // Uses memset to effectively initialize the given FixedArray with zeroes.
+  void FillFixedArrayWithSmiZero(TNode<FixedArray> array,
+                                 TNode<IntPtrT> length);
+  void FillFixedDoubleArrayWithZero(TNode<FixedDoubleArray> array,
+                                    TNode<IntPtrT> length);
+
  void FillPropertyArrayWithUndefined(Node* array, Node* from_index,
                                      Node* to_index,
                                      ParameterMode mode = INTPTR_PARAMETERS);
@ -1515,15 +1538,15 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
  // passed as the |source| parameter.
  // * |parameter_mode| determines the parameter mode of |first|, |count| and
  // |capacity|.
-  TNode<FixedArray> ExtractFixedArray(
+  TNode<FixedArrayBase> ExtractFixedArray(
      Node* source, Node* first, Node* count = nullptr,
      Node* capacity = nullptr,
      ExtractFixedArrayFlags extract_flags =
          ExtractFixedArrayFlag::kAllFixedArrays,
      ParameterMode parameter_mode = INTPTR_PARAMETERS);

-  TNode<FixedArray> ExtractFixedArray(
-      TNode<FixedArray> source, TNode<Smi> first, TNode<Smi> count,
+  TNode<FixedArrayBase> ExtractFixedArray(
+      TNode<FixedArrayBase> source, TNode<Smi> first, TNode<Smi> count,
      TNode<Smi> capacity,
      ExtractFixedArrayFlags extract_flags =
          ExtractFixedArrayFlag::kAllFixedArrays) {
@ -1631,7 +1654,20 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
                                   Variable* var_numeric,
                                   Variable* var_feedback);

-  SloppyTNode<WordT> TimesPointerSize(Node* value);
+  TNode<WordT> TimesPointerSize(SloppyTNode<WordT> value);
+  TNode<IntPtrT> TimesPointerSize(TNode<IntPtrT> value) {
+    return Signed(TimesPointerSize(implicit_cast<TNode<WordT>>(value)));
+  }
+  TNode<UintPtrT> TimesPointerSize(TNode<UintPtrT> value) {
+    return Unsigned(TimesPointerSize(implicit_cast<TNode<WordT>>(value)));
+  }
+  TNode<WordT> TimesDoubleSize(SloppyTNode<WordT> value);
+  TNode<UintPtrT> TimesDoubleSize(TNode<UintPtrT> value) {
+    return Unsigned(TimesDoubleSize(implicit_cast<TNode<WordT>>(value)));
+  }
+  TNode<IntPtrT> TimesDoubleSize(TNode<IntPtrT> value) {
+    return Signed(TimesDoubleSize(implicit_cast<TNode<WordT>>(value)));
+  }

  // Type conversions.
  // Throws a TypeError for {method_name} if {value} is not coercible to Object,
--- a/test/cctest/compiler/test-code-generator.cc
+++ b/test/cctest/compiler/test-code-generator.cc
@ -83,8 +83,8 @@ Handle<Code> BuildSetupFunction(Isolate* isolate,
  // First allocate the FixedArray which will hold the final results. Here we
  // should take care of all allocations, meaning we allocate HeapNumbers and
  // FixedArrays representing Simd128 values.
-  TNode<FixedArray> state_out = __ AllocateFixedArray(
-      PACKED_ELEMENTS, __ IntPtrConstant(parameters.size()));
+  TNode<FixedArray> state_out = __ Cast(__ AllocateFixedArray(
+      PACKED_ELEMENTS, __ IntPtrConstant(parameters.size())));
  for (int i = 0; i < static_cast<int>(parameters.size()); i++) {
    switch (parameters[i].representation()) {
      case MachineRepresentation::kTagged:
@ -94,8 +94,8 @@ Handle<Code> BuildSetupFunction(Isolate* isolate,
        __ StoreFixedArrayElement(state_out, i, __ AllocateHeapNumber());
        break;
      case MachineRepresentation::kSimd128: {
-        TNode<FixedArray> vector =
-            __ AllocateFixedArray(PACKED_SMI_ELEMENTS, __ IntPtrConstant(4));
+        TNode<FixedArray> vector = __ Cast(
+            __ AllocateFixedArray(PACKED_SMI_ELEMENTS, __ IntPtrConstant(4)));
        for (int lane = 0; lane < 4; lane++) {
          __ StoreFixedArrayElement(vector, lane, __ SmiConstant(0));
        }
--- a/test/cctest/test-code-stub-assembler.cc
+++ b/test/cctest/test-code-stub-assembler.cc
@ -2379,7 +2379,8 @@ TEST(CreatePromiseResolvingFunctions) {
  std::tie(resolve, reject) = m.CreatePromiseResolvingFunctions(
      promise, m.BooleanConstant(false), native_context);
  Node* const kSize = m.IntPtrConstant(2);
-  TNode<FixedArray> const arr = m.AllocateFixedArray(PACKED_ELEMENTS, kSize);
+  TNode<FixedArray> const arr =
+      m.Cast(m.AllocateFixedArray(PACKED_ELEMENTS, kSize));
  m.StoreFixedArrayElement(arr, 0, resolve);
  m.StoreFixedArrayElement(arr, 1, reject);
  m.Return(arr);
--- a/test/torque/test-torque.tq
+++ b/test/torque/test-torque.tq
@ -428,8 +428,7 @@ module test {

  macro TestTypeswitch() {
    check(TypeswitchExample(from_constexpr<Smi>(5)) == 26);
-    const a : FixedArray = AllocateFixedArray(PACKED_ELEMENTS, 3);
-    a[0] = a[1] = a[2] = from_constexpr<Smi>(0);
+    const a : FixedArray = AllocateZeroedFixedArray(3);
    check(TypeswitchExample(a) == 13);
    check(TypeswitchExample(from_constexpr<Number>(0.5)) == 27);
  }
--- a/third_party/v8/builtins/array-sort.tq
+++ b/third_party/v8/builtins/array-sort.tq
@ -472,10 +472,8 @@ module array {
      return GetTempArray(sortState);
    }

-    const temp_array: FixedArray = AllocateFixedArray(
-        PACKED_ELEMENTS, convert<intptr>(min_size), INTPTR_PARAMETERS,
-        kAllowLargeObjectAllocation);
-    FillFixedArrayWithSmiZero(temp_array, min_size);
+    const temp_array: FixedArray =
+        AllocateZeroedFixedArray(convert<intptr>(min_size));

    sortState[kTempArraySizeIdx] = min_size;
    sortState[kTempArrayIdx] = temp_array;
@ -1643,8 +1641,7 @@ module array {

    SetPendingRunsSize(sortState, 0);
    let pending_runs: FixedArray =
-        AllocateFixedArray(PACKED_ELEMENTS, convert<intptr>(kMaxMergePending));
-    FillFixedArrayWithSmiZero(pending_runs, kMaxMergePending);
+        AllocateZeroedFixedArray(convert<intptr>(kMaxMergePending));
    sortState[kPendingRunsIdx] = pending_runs;
  }

@ -1738,7 +1735,6 @@ module array {
  // array and move the undefineds after that. Holes are removed.
  // This happens for Array as well as non-Array objects.
  extern runtime PrepareElementsForSort(Context, Object, Number): Smi;
-  extern macro FillFixedArrayWithSmiZero(FixedArray, Smi);

  // https://tc39.github.io/ecma262/#sec-array.prototype.sort
  javascript builtin ArrayPrototypeSort(
@ -1754,9 +1750,7 @@ module array {
    const obj: JSReceiver = ToObject_Inline(context, receiver);
    let map: Map = obj.map;

-    const sort_state: FixedArray =
-        AllocateFixedArray(PACKED_ELEMENTS, kSortStateSize);
-    FillFixedArrayWithSmiZero(sort_state, SmiTag(kSortStateSize));
+    const sort_state: FixedArray = AllocateZeroedFixedArray(kSortStateSize);

    sort_state[kReceiverIdx] = obj;
    sort_state[kUserCmpFnIdx] = comparefnObj;