[deoptimizer] Materialize JSArray objects without context.

This fixes the materialization of JSArray objects to not rely on a context being available. The context has been cleared because it might be de-materiallized itself. R=bmeurer@chromium.org BUG=chromium:644245 Review-Url: https://codereview.chromium.org/2323713002 Cr-Commit-Position: refs/heads/master@{#39274}
2016-09-08 04:37:44 -07:00 · 2016-09-08 04:37:44 -07:00 · 517a54286d
commit 517a54286d
parent fdab63f56e
1 changed files with 2 additions and 2 deletions
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@ -3762,8 +3762,8 @@ Handle<Object> TranslatedState::MaterializeAt(int frame_index,
          return object;
        }
        case JS_ARRAY_TYPE: {
-          Handle<JSArray> object =
-              isolate_->factory()->NewJSArray(0, map->elements_kind());
+          Handle<JSArray> object = Handle<JSArray>::cast(
+              isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
          slot->value_ = object;
          Handle<Object> properties = MaterializeAt(frame_index, value_index);
          Handle<Object> elements = MaterializeAt(frame_index, value_index);