Undo allocation of half-formed array during elements transition

src/x64/builtins-x64.cc

-// Copyright 2011 the V8 project authors. All rights reserved.
+// Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
 //       with the distribution.
@@ skipping 1180 matching lines @@
 //   rsp[0]: return address
 //   rsp[8]: last argument
 // This function is used for both construct and normal calls of Array. The only
 // difference between handling a construct call and a normal call is that for a
 // construct call the constructor function in rdi needs to be preserved for
 // entering the generic code. In both cases argc in rax needs to be preserved.
 // Both registers are preserved by this code so no need to differentiate between
 // a construct call and a normal call.
 static void ArrayNativeCode(MacroAssembler* masm,
                             Label *call_generic_code) {
-  Label argc_one_or_more, argc_two_or_more, empty_array, not_empty_array;
+  Label argc_one_or_more, argc_two_or_more, empty_array, not_empty_array,
+      has_non_smi_element;
 
   // Check for array construction with zero arguments.
   __ testq(rax, rax);
   __ j(not_zero, &argc_one_or_more);
 
   __ bind(&empty_array);
   // Handle construction of an empty array.
   AllocateEmptyJSArray(masm,
                        rdi,
                        rbx,
@@ skipping 86 matching lines @@
   // rdx: location of the first array element
   // r9: location of the last argument
   // esp[0]: return address
   // esp[8]: last argument
   Label loop, entry;
   __ movq(rcx, rax);
   __ jmp(&entry);
   __ bind(&loop);
   __ movq(kScratchRegister, Operand(r9, rcx, times_pointer_size, 0));
   if (FLAG_smi_only_arrays) {
-    __ JumpIfNotSmi(kScratchRegister, call_generic_code);
+    __ JumpIfNotSmi(kScratchRegister, &has_non_smi_element);
   }
   __ movq(Operand(rdx, 0), kScratchRegister);
   __ addq(rdx, Immediate(kPointerSize));
   __ bind(&entry);
   __ decq(rcx);
   __ j(greater_equal, &loop);
 
   // Remove caller arguments from the stack and return.
   // rax: argc
   // rbx: JSArray
   // esp[0]: return address
   // esp[8]: last argument
   __ pop(rcx);
   __ lea(rsp, Operand(rsp, rax, times_pointer_size, 1 * kPointerSize));
   __ push(rcx);
   __ movq(rax, rbx);
   __ ret(0);
+
+  __ bind(&has_non_smi_element);
+  __ UndoAllocationInNewSpace(rbx);
+  __ jmp(call_generic_code);
 }
 
 
 void Builtins::Generate_InternalArrayCode(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- rax : argc
   //  -- rsp[0] : return address
   //  -- rsp[8] : last argument
   // -----------------------------------
   Label generic_array_code;
@@ skipping 274 matching lines @@
   Deoptimizer::EntryGenerator generator(masm, Deoptimizer::OSR);
   generator.Generate();
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_X64