Fix invalid array length check in TransitionElementsKindStub.

src/code-stubs-hydrogen.cc

Index: src/code-stubs-hydrogen.cc
diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
index 16f4ac019ec47d456fdb81ec7dd2d013354c8cfb..2d703c9068c675f577124ac4351b8c89ca374aa1 100644
--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc
@@ -541,20 +541,20 @@ HValue* CodeStubGraphBuilder<TransitionElementsKindStub>::BuildCodeStub() {
     Add<HTrapAllocationMemento>(js_array);
   }
 
-  HInstruction* array_length =
-      AddLoad(js_array, HObjectAccess::ForArrayLength());
-  array_length->set_type(HType::Smi());
+  HInstruction* elements = AddLoadElements(js_array);
+
+  HInstruction* elements_length = AddLoadFixedArrayLength(elements);
 
   IfBuilder if_builder(this);
 
-  if_builder.IfNot<HCompareNumericAndBranch>(array_length,
+  if_builder.IfNot<HCompareNumericAndBranch>(elements_length,
                                              graph()->GetConstant0(),
                                              Token::EQ);
   if_builder.Then();

[mvstanton, 2013/07/16 13:01:07]

There might still be an issue here. What if you are going from a 0 size DOUBLE
array to a 0 size TAGGED array. I think that you need to do more than just set
the map of the array. You also need to point the elements property to the
factory->fixed_array_map(), because it's currently pointing to the
factory->fixed_double_array_map(). I guess this would be the "else" case for
your IfBuilder.

 
-  HInstruction* elements = AddLoadElements(js_array);
-
-  HInstruction* elements_length = AddLoadFixedArrayLength(elements);
+  HInstruction* array_length =
+      AddLoad(js_array, HObjectAccess::ForArrayLength());
+  array_length->set_type(HType::Smi());
 
   BuildGrowElementsCapacity(js_array, elements, from_kind, to_kind,
                             array_length, elements_length);