[ic] Fix elements conversion in KeyedStoreGeneric

A SmiUntag() was missing when loading the old backing store's length.

BUG=chromium:664469

Review-Url: https://codereview.chromium.org/2492783004
Cr-Commit-Position: refs/heads/master@{#40921}
This commit is contained in:
jkummerow 2016-11-11 05:01:49 -08:00 committed by Commit bot
parent 556217427d
commit 567904f1a7
2 changed files with 22 additions and 1 deletions

View File

@ -139,7 +139,7 @@ void KeyedStoreGenericAssembler::TryRewriteElements(
{
if (IsFastDoubleElementsKind(from_kind) !=
IsFastDoubleElementsKind(to_kind)) {
Node* capacity = LoadFixedArrayBaseLength(elements);
Node* capacity = SmiUntag(LoadFixedArrayBaseLength(elements));
GrowElementsCapacity(receiver, elements, from_kind, to_kind, capacity,
capacity, INTPTR_PARAMETERS, bailout);
}

View File

@ -0,0 +1,21 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f(a, i) {
a[i] = "object";
}
f("make it generic", 0);
// Nearly kMaxRegularHeapObjectSize's worth of doubles.
var kLength = 500000 / 8;
var kValue = 0.1;
var a = new Array(kLength);
for (var i = 0; i < kLength; i++) {
a[i] = kValue;
}
f(a, 0);
for (var i = 1; i < kLength; i++) {
assertEquals(kValue, a[i]);
}