diff --git a/src/hydrogen.cc b/src/hydrogen.cc index d2624161bc..7ac1d5e265 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -7786,23 +7786,28 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall( HValue* value_to_push = Pop(); HValue* array = Pop(); - HValue* length = Add(array, static_cast(NULL), - HObjectAccess::ForArrayLength(elements_kind)); + HInstruction* new_size = NULL; + HValue* length = NULL; { NoObservableSideEffectsScope scope(this); + length = Add(array, static_cast(NULL), + HObjectAccess::ForArrayLength(elements_kind)); + + new_size = AddUncasted(length, graph()->GetConstant1()); + bool is_array = receiver_map->instance_type() == JS_ARRAY_TYPE; BuildUncheckedMonomorphicElementAccess(array, length, value_to_push, is_array, elements_kind, STORE, NEVER_RETURN_HOLE, STORE_AND_GROW_NO_TRANSITION); + Add(expr->id(), REMOVABLE_SIMULATE); } - HInstruction* new_size = NewUncasted(length, Add(argc)); Drop(1); // Drop function. - ast_context()->ReturnInstruction(new_size, expr->id()); + ast_context()->ReturnValue(new_size); return true; } default: diff --git a/test/mjsunit/array-push9.js b/test/mjsunit/array-push9.js new file mode 100644 index 0000000000..d80cee89ea --- /dev/null +++ b/test/mjsunit/array-push9.js @@ -0,0 +1,29 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --deopt-every-n-times=5 --nodead-code-elimination + +var array = []; + +function push(array, value) { + array.push(value); +} + +push(array, 0); +push(array, 1); +push(array, 2); +%OptimizeFunctionOnNextCall(push); +push(array, 3); + +var v = 0; +Object.defineProperty(Array.prototype, "4", { + get: function() { return 100; }, + set: function(value) { v = value; } +}); + +push(array, 4); + +assertEquals(5, array.length); +assertEquals(100, array[4]); +assertEquals(4, v);