Always initialize elements pointer in fast literals.

src/hydrogen.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 9742 matching lines @@
   if (FLAG_allocation_site_pretenuring) {
     pretenure_flag = site_context->current()->GetPretenureMode();
     Handle<AllocationSite> site(site_context->current());
     AllocationSite::AddDependentCompilationInfo(
         site, AllocationSite::TENURING, top_info());
   }
 
   HInstruction* object = Add<HAllocate>(object_size_constant, type,
       pretenure_flag, instance_type, site_context->current());
 
+  // If allocation folding reaches Page::kMaxRegularHeapObjectSize the
+  // elements array may not get folded into the object. Hence, we set the
+  // elements pointer to empty fixed array and let store elimination remove
+  // this store in the folding case.
+  HConstant* empty_fixed_array = Add<HConstant>(
+      isolate()->factory()->empty_fixed_array());
+  Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+      empty_fixed_array, INITIALIZING_STORE);
+
   BuildEmitObjectHeader(boilerplate_object, object);
 
   Handle<FixedArrayBase> elements(boilerplate_object->elements());
   int elements_size = (elements->length() > 0 &&
       elements->map() != isolate()->heap()->fixed_cow_array_map()) ?
           elements->Size() : 0;
 
   if (pretenure_flag == TENURED &&
       elements->map() == isolate()->heap()->fixed_cow_array_map() &&
       isolate()->heap()->InNewSpace(*elements)) {
     // If we would like to pretenure a fixed cow array, we must ensure that the
     // array is already in old space, otherwise we'll create too many old-to-
     // new-space pointers (overflowing the store buffer).
     elements = Handle<FixedArrayBase>(
         isolate()->factory()->CopyAndTenureFixedCOWArray(
             Handle<FixedArray>::cast(elements)));
     boilerplate_object->set_elements(*elements);
   }
 
   HInstruction* object_elements = NULL;
   if (elements_size > 0) {
     HValue* object_elements_size = Add<HConstant>(elements_size);
     if (boilerplate_object->HasFastDoubleElements()) {
-      // Allocation folding will not be able to fold |object| and
-      // |object_elements| together if they are pre-tenured.
-      if (pretenure_flag == TENURED) {
-        HConstant* empty_fixed_array = Add<HConstant>(
-            isolate()->factory()->empty_fixed_array());
-        Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
-                              empty_fixed_array);
-      }
       object_elements = Add<HAllocate>(object_elements_size, HType::Tagged(),
           pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE, site_context->current());
     } else {
       object_elements = Add<HAllocate>(object_elements_size, HType::Tagged(),
           pretenure_flag, FIXED_ARRAY_TYPE, site_context->current());
     }
   }
   BuildInitElementsInObjectHeader(boilerplate_object, object, object_elements);
 
   // Copy object elements if non-COW.
@@ skipping 1503 matching lines @@
   if (ShouldProduceTraceOutput()) {
     isolate()->GetHTracer()->TraceHydrogen(name(), graph_);
   }
 
 #ifdef DEBUG
   graph_->Verify(false);  // No full verify.
 #endif
 }
 
 } }  // namespace v8::internal