| Index: src/code-stubs-hydrogen.cc
|
| diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
|
| index 16f4ac019ec47d456fdb81ec7dd2d013354c8cfb..9ea87abb54641383d35fc7df8d2b7fe1f1a01af9 100644
|
| --- a/src/code-stubs-hydrogen.cc
|
| +++ b/src/code-stubs-hydrogen.cc
|
| @@ -541,21 +541,23 @@ HValue* CodeStubGraphBuilder<TransitionElementsKindStub>::BuildCodeStub() {
|
| Add<HTrapAllocationMemento>(js_array);
|
| }
|
|
|
| - HInstruction* array_length =
|
| - AddLoad(js_array, HObjectAccess::ForArrayLength());
|
| - array_length->set_type(HType::Smi());
|
| + HInstruction* elements = AddLoadElements(js_array);
|
| +
|
| + HInstruction* empty_fixed_array = Add<HConstant>(
|
| + isolate()->factory()->empty_fixed_array(), Representation::Tagged());
|
|
|
| IfBuilder if_builder(this);
|
|
|
| - if_builder.IfNot<HCompareNumericAndBranch>(array_length,
|
| - graph()->GetConstant0(),
|
| - Token::EQ);
|
| - if_builder.Then();
|
| + if_builder.IfNot<HCompareObjectEqAndBranch>(elements, empty_fixed_array);
|
|
|
| - HInstruction* elements = AddLoadElements(js_array);
|
| + if_builder.Then();
|
|
|
| HInstruction* elements_length = AddLoadFixedArrayLength(elements);
|
|
|
| + HInstruction* array_length = AddLoad(
|
| + js_array, HObjectAccess::ForArrayLength(), NULL, Representation::Smi());
|
| + array_length->set_type(HType::Smi());
|
| +
|
| BuildGrowElementsCapacity(js_array, elements, from_kind, to_kind,
|
| array_length, elements_length);
|
|
|
|
|
Chromium Code Reviews
Issue 19289009:
Fix invalid array length check in TransitionElementsKindStub. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge