Fix invalid fast return in splice when returned array is empty.

src/builtins.cc

Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index 50f36e56e6b7ee3f27a06e7082d58db1143eede6..fc77c2b920bf53f47c820ff7a775c1ec1b5c3462 100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -616,30 +616,34 @@ BUILTIN(ArraySplice) {
     }
   }
   int actualDeleteCount = Min(Max(deleteCount, 0), len - actualStart);

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

-  if (actualDeleteCount == 0) {
-    return AllocateEmptyJSArray();
-  }
 
-  // Allocate result array.
-  Object* result = AllocateJSArray();
-  if (result->IsFailure()) return result;
-  JSArray* result_array = JSArray::cast(result);
+  FixedArray* elms = FixedArray::cast(array->elements());
 
-  result = Heap::AllocateUninitializedFixedArray(actualDeleteCount);
-  if (result->IsFailure()) return result;
-  FixedArray* result_elms = FixedArray::cast(result);
+  JSArray* result_array = NULL;
+  if (actualDeleteCount == 0) {
+    Object* result = AllocateEmptyJSArray();
+    if (result->IsFailure()) return result;
+    result_array = JSArray::cast(result);
+  } else {
+    // Allocate result array.
+    Object* result = AllocateJSArray();
+    if (result->IsFailure()) return result;
+    result_array = JSArray::cast(result);
 
-  FixedArray* elms = FixedArray::cast(array->elements());
+    result = Heap::AllocateUninitializedFixedArray(actualDeleteCount);
+    if (result->IsFailure()) return result;
+    FixedArray* result_elms = FixedArray::cast(result);
 
-  AssertNoAllocation no_gc;
-  // Fill newly created array.
-  CopyElements(&no_gc, result_elms, 0, elms, actualStart, actualDeleteCount);
+    AssertNoAllocation no_gc;
+    // Fill newly created array.
+    CopyElements(&no_gc, result_elms, 0, elms, actualStart, actualDeleteCount);
 
-  // Set elements.
-  result_array->set_elements(result_elms);
+    // Set elements.
+    result_array->set_elements(result_elms);
 
-  // Set the length.
-  result_array->set_length(Smi::FromInt(actualDeleteCount));
+    // Set the length.
+    result_array->set_length(Smi::FromInt(actualDeleteCount));
+  }
 
   int itemCount = (n_arguments > 1) ? (n_arguments - 2) : 0;

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

 
@@ -647,6 +651,7 @@ BUILTIN(ArraySplice) {
 
   if (itemCount < actualDeleteCount) {
     // Shrink the array.
+    AssertNoAllocation no_gc;
     MoveElements(&no_gc,
                  elms, actualStart + itemCount,
                  elms, actualStart + actualDeleteCount,
@@ -667,6 +672,7 @@ BUILTIN(ArraySplice) {
       if (obj->IsFailure()) return obj;
       FixedArray* new_elms = FixedArray::cast(obj);
 
+      AssertNoAllocation no_gc;
       // Copy the part before actualStart as is.
       CopyElements(&no_gc, new_elms, 0, elms, 0, actualStart);
       FillWithHoles(new_elms, new_length, capacity);
@@ -676,12 +682,14 @@ BUILTIN(ArraySplice) {
       array->set_elements(elms);
     }
 
+    AssertNoAllocation no_gc;
     MoveElements(&no_gc,
                  elms, actualStart + itemCount,
                  source_elms, actualStart + actualDeleteCount,
                  (len - actualDeleteCount - actualStart));
   }
 
+  AssertNoAllocation no_gc;
   WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc);
   for (int k = actualStart; k < actualStart + itemCount; k++) {
     elms->set(k, args[3 + k - actualStart], mode);