Minor bugfix in building inlined Array: bad argument to JSArrayBuilder.

An HConstant pointing to a Cell rather than an AllocationSite
was passed. The argument wasn't used because of fortuitous
flags. An assert was added to protect the argument.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/141533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
mvstanton@chromium.org 2014-01-17 12:18:57 +00:00
parent 83d02a8ad0
commit b2bea46245

View File

@ -2704,6 +2704,9 @@ HGraphBuilder::JSArrayBuilder::JSArrayBuilder(HGraphBuilder* builder,
kind_(kind),
allocation_site_payload_(allocation_site_payload),
constructor_function_(constructor_function) {
ASSERT(!allocation_site_payload->IsConstant() ||
HConstant::cast(allocation_site_payload)->handle(
builder_->isolate())->IsAllocationSite());
mode_ = override_mode == DISABLE_ALLOCATION_SITES
? DONT_TRACK_ALLOCATION_SITE
: AllocationSite::GetMode(kind);
@ -7944,10 +7947,10 @@ void HOptimizedGraphBuilder::BuildInlinedCallNewArray(CallNew* expr) {
Handle<Cell> cell = expr->allocation_info_cell();
Handle<AllocationSite> site(AllocationSite::cast(cell->value()));
// Register on the site for deoptimization if the cell value changes.
// Register on the site for deoptimization if the transition feedback changes.
AllocationSite::AddDependentCompilationInfo(
site, AllocationSite::TRANSITIONS, top_info());
HInstruction* cell_instruction = Add<HConstant>(cell);
HInstruction* site_instruction = Add<HConstant>(site);
// In the single constant argument case, we may have to adjust elements kind
// to avoid creating a packed non-empty array.
@ -7966,7 +7969,7 @@ void HOptimizedGraphBuilder::BuildInlinedCallNewArray(CallNew* expr) {
// Build the array.
JSArrayBuilder array_builder(this,
kind,
cell_instruction,
site_instruction,
constructor,
DISABLE_ALLOCATION_SITES);
HValue* new_object;