Fix representation issue in FastArrayPushStub

Pushing undefined onto a FAST_DOUBLE_ARRAY does not enforce the right representation checks. BUG=chromuim:599089 LOG=n Review URL: https://codereview.chromium.org/1868973002 Cr-Commit-Position: refs/heads/master@{#35332}
crosswalk-project · Apr 7, 2016 · 9478356 · 9478356
1 parent ce1fe78
commit 9478356
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
@@ -721,9 +721,15 @@ HValue* CodeStubGraphBuilderBase::BuildPushElement(HValue* object, HValue* argc,
     {
       HInstruction* argument =
           Add<HAccessArgumentsAt>(argument_elements, argc, key);
-      Representation r = IsFastSmiElementsKind(kind) ? Representation::Smi()
-                                                     : Representation::Double();
-      AddUncasted<HForceRepresentation>(argument, r);
+      IfBuilder can_store(this);
+      can_store.IfNot<HIsSmiAndBranch>(argument);
+      if (IsFastDoubleElementsKind(kind)) {
+        can_store.And();
+        can_store.IfNot<HCompareMap>(argument,
+                                     isolate()->factory()->heap_number_map());
+      }
+      can_store.ThenDeopt(Deoptimizer::kFastArrayPushFailed);
+      can_store.End();
     }
     builder.EndBody();
   }

diff --git a/test/mjsunit/regress/regress-599089-array-push.js b/test/mjsunit/regress/regress-599089-array-push.js
@@ -0,0 +1,10 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+var array = [1.2, 1.2];
+array.length = 0;
+array.push(undefined);
+assertEquals(1, array.length);
+assertEquals([undefined], array);