[ic] Fix elements conversion in KeyedStoreGeneric
A SmiUntag() was missing when loading the old backing store's length. BUG=chromium:664469 Review-Url: https://codereview.chromium.org/2492783004 Cr-Commit-Position: refs/heads/master@{#40921}
This commit is contained in:
parent
556217427d
commit
567904f1a7
@ -139,7 +139,7 @@ void KeyedStoreGenericAssembler::TryRewriteElements(
|
||||
{
|
||||
if (IsFastDoubleElementsKind(from_kind) !=
|
||||
IsFastDoubleElementsKind(to_kind)) {
|
||||
Node* capacity = LoadFixedArrayBaseLength(elements);
|
||||
Node* capacity = SmiUntag(LoadFixedArrayBaseLength(elements));
|
||||
GrowElementsCapacity(receiver, elements, from_kind, to_kind, capacity,
|
||||
capacity, INTPTR_PARAMETERS, bailout);
|
||||
}
|
||||
|
21
test/mjsunit/regress/regress-crbug-664469.js
Normal file
21
test/mjsunit/regress/regress-crbug-664469.js
Normal file
@ -0,0 +1,21 @@
|
||||
// Copyright 2016 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
function f(a, i) {
|
||||
a[i] = "object";
|
||||
}
|
||||
|
||||
f("make it generic", 0);
|
||||
|
||||
// Nearly kMaxRegularHeapObjectSize's worth of doubles.
|
||||
var kLength = 500000 / 8;
|
||||
var kValue = 0.1;
|
||||
var a = new Array(kLength);
|
||||
for (var i = 0; i < kLength; i++) {
|
||||
a[i] = kValue;
|
||||
}
|
||||
f(a, 0);
|
||||
for (var i = 1; i < kLength; i++) {
|
||||
assertEquals(kValue, a[i]);
|
||||
}
|
Loading…
Reference in New Issue
Block a user