[Builtins] Eliminate the fast path in constructor entries

The initial fast array may change, invalidating assumptions. Bug: chromium:798026 Change-Id: Iddcc40867221a2a58aef33b64e7399e0f2784e89 Reviewed-on: https://chromium-review.googlesource.com/850356 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#50363}
2018-01-04 15:57:29 +01:00 · 2018-01-04 15:57:29 +01:00 · a10689dba9
commit a10689dba9
parent 971875ca4d
2 changed files with 16 additions and 6 deletions
--- a/src/builtins/builtins-collections-gen.cc
+++ b/src/builtins/builtins-collections-gen.cc
@ -162,13 +162,9 @@ void BaseCollectionsAssembler::AddConstructorEntries(
    TNode<BoolT> is_fast_jsarray) {
  Label exit(this), slow_loop(this, Label::kDeferred);
  GotoIf(IsNullOrUndefined(initial_entries), &exit);
-  GotoIfNot(is_fast_jsarray, &slow_loop);

-  AddConstructorEntriesFromFastJSArray(variant, context, collection,
-                                       UncheckedCast<JSArray>(initial_entries));
-  Goto(&exit);
-
-  BIND(&slow_loop);
+  // TODO(mvstanton): Re-enable the fast path when a fix is found for
+  // crbug.com/798026.
  {
    AddConstructorEntriesFromIterable(variant, context, native_context,
                                      collection, initial_entries);
--- a/test/mjsunit/regress/regress-crbug-798026.js
+++ b/test/mjsunit/regress/regress-crbug-798026.js
@ -0,0 +1,14 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --expose-gc
+
+array = new Array(4 * 1024 * 1024);
+Set.prototype.add = value => {
+  if (array.length != 1) {
+    array.length = 1;
+    gc();
+  }
+}
+new Set(array);