[turbofan] Fix lowering of Array constructor with one argument.

Only create a singleton array for Array(len) if Type(len) cannot be Number, otherwise we might need to throw an exception instead. BUG=chromium:715404 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2838123004 Cr-Commit-Position: refs/heads/master@{#44886}
2017-04-26 05:02:12 -07:00 · 2017-04-26 05:02:12 -07:00 · d06d4ce2c4
commit d06d4ce2c4
parent 9deed4095d
2 changed files with 12 additions and 1 deletions
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@ -815,7 +815,7 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) {
    } else if (p.arity() == 1) {
      Node* length = NodeProperties::GetValueInput(node, 2);
      Type* length_type = NodeProperties::GetType(length);
-      if (!length_type->Maybe(Type::Unsigned32())) {
+      if (!length_type->Maybe(Type::Number())) {
        // Handle the single argument case, where we know that the value
        // cannot be a valid Array length.
        return ReduceNewArray(node, {length}, site);
--- a/test/mjsunit/regress/regress-crbug-715404.js
+++ b/test/mjsunit/regress/regress-crbug-715404.js
@ -0,0 +1,11 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { Array(-1); }
+assertThrows(foo, RangeError);
+assertThrows(foo, RangeError);
+%OptimizeFunctionOnNextCall(foo);
+assertThrows(foo, RangeError);