From 9478356ed307dbb4a51005fa250516bd567fe10b Mon Sep 17 00:00:00 2001
From: cbruni <cbruni@chromium.org>
Date: Thu, 7 Apr 2016 05:44:09 -0700
Subject: [PATCH] Fix representation issue in FastArrayPushStub

Pushing undefined onto a FAST_DOUBLE_ARRAY does not enforce the right representation checks.

BUG=chromuim:599089
LOG=n

Review URL: https://codereview.chromium.org/1868973002

Cr-Commit-Position: refs/heads/master@{#35332}
---
 src/code-stubs-hydrogen.cc                        | 12 +++++++++---
 test/mjsunit/regress/regress-599089-array-push.js | 10 ++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-599089-array-push.js

diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
index 8b3828d8de1..346ab7b73b9 100644
--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc
@@ -721,9 +721,15 @@ HValue* CodeStubGraphBuilderBase::BuildPushElement(HValue* object, HValue* argc,
     {
       HInstruction* argument =
           Add<HAccessArgumentsAt>(argument_elements, argc, key);
-      Representation r = IsFastSmiElementsKind(kind) ? Representation::Smi()
-                                                     : Representation::Double();
-      AddUncasted<HForceRepresentation>(argument, r);
+      IfBuilder can_store(this);
+      can_store.IfNot<HIsSmiAndBranch>(argument);
+      if (IsFastDoubleElementsKind(kind)) {
+        can_store.And();
+        can_store.IfNot<HCompareMap>(argument,
+                                     isolate()->factory()->heap_number_map());
+      }
+      can_store.ThenDeopt(Deoptimizer::kFastArrayPushFailed);
+      can_store.End();
     }
     builder.EndBody();
   }
diff --git a/test/mjsunit/regress/regress-599089-array-push.js b/test/mjsunit/regress/regress-599089-array-push.js
new file mode 100644
index 00000000000..9049a4b8b66
--- /dev/null
+++ b/test/mjsunit/regress/regress-599089-array-push.js
@@ -0,0 +1,10 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+var array = [1.2, 1.2];
+array.length = 0;
+array.push(undefined);
+assertEquals(1, array.length);
+assertEquals([undefined], array);